[prev in list] [next in list] [prev in thread] [next in thread] 

List:       cryptography
Subject:    Re: bo2k cryptography
From:       mischief () lanesbry ! com
Date:       1999-08-24 22:00:19
[Download RAW message or body]

mischief@lanesbry.com wrote:
> 
> The authors have announced and fixed one bug...

Here's the details of that one:


http://www.securityfocus.com/templates/archive.pike?list=1&date=1999-08-1&msg=Pine.GSO.4.05.9908021606360.4451-100000@www.securityfocus.com


---------- Forwarded message ----------
Date: Sun, 01 Aug 1999 21:29:40 -0500
From: Irwan Amir Widjaja <irwanw@netscape.net>
To: vuldb@securityfocus.com
Subject: bo2k plugins

Hi,

I recently (July 31st) discovered that the CAST-256 plugin v2.2 which
allows any user to connect to any CAST256 server with any password.
After reporting the bug to Daniel (the author), he fixed the plugin
within a few hours and found that the problem lied within Maw~'s MD5
module, which he used for his plugin (Dan later found that MAW~'s IDEA
plugin has the same flaw).

This is obviously a very big security risk for administrators who use
bo2k as a legit remote administration tool (as opposed to a 'cracking &
hacking' tool).

Currently CAST-256 and IDEA are the only strong encryption plugins which
are internationally available for bo2k (the only ones I'm aware of at
least).

There were over 1000 downloads of the faulty CAST256 plugin alone.

Both of these plugins have been updated by their authors.

Sincerely,

Amir


[prev in list] [next in list] [prev in thread] [next in thread]