Opened 14 years ago

Closed 13 years ago

#954 closed defect (fixed)

OSCam Login Passwort Bug - Access with every passwort of same length as original passwort

Reported by: scooter4096 Owned by: schlocke
Priority: critical Component: Protocol - CCCam
Severity: high Keywords:
Cc: Sensitive: no

Description

Sorry if this issue is already fixxed - don't have the possibility to check this atm.
Couldn't find it in the timeline...

Scenario:

I have OSCAM 0.99.4svn build #2901 on my Dreambox dm800. As mentioned in the title, a Client gets access, if he knows the loginname and the length of the password... Seems as every character is allowed.

If he enters a password not equal the length of the real password my server logs this:

2010/09/29 19:19:19 24098 s client(7) connect from 91.67.135.xxx (pid=7052, pipfd=24)
2010/09/29 19:19:19 7052 c07 encrypted cccam-client 91.67.135.xxx granted (User15, au=0)
2010/09/29 19:19:19 7052 c07 cccam(s) User15: message too big (size=52505)
2010/09/29 19:19:19 7052 c07 cccam(s) User15: client (0000000000000000) running v ()
2010/09/29 19:19:19 7052 c07 cccam(s) User15: version: 2.1.1, build: 2971 nodeid: 0000000000000000
2010/09/29 19:19:19 7052 c07 cccam(s) User15: reported 3 cards to client
2010/09/29 19:19:19 7052 c07 cccam(s) User15: message too big (size=20246)
2010/09/29 19:19:19 7052 c07 cccam(s) User15: connection closed to client
2010/09/29 19:19:19 7052 c07 User15 disconnected from 91.67.135.xxx

and the sun doesn't shine for him.

Again sorry if this is already fixxed...

cheers

Change History (7)

comment:1 by scooter4096, 14 years ago

Same with version 1.0 svn 3190!

comment:2 by scooter4096, 14 years ago

Tested only for CCcam...

comment:3 by scooter4096, 13 years ago

Bug only in CCcam Protocol...

comment:4 by Deas, 13 years ago

Owner: set to schlocke

comment:5 by schlocke, 13 years ago

Resolution: wontfix
Status: newclosed

the user doesn't get access!
cccam is never transfers passwords, instead the password gets part of the data-encryption of the transfered data.
So the user can first connect, but then can't transfer any data and we get such a "message too big" message. Data after wrong password is never transmitted readable. This is a limitation of the cccam-protocoll and can't be changed.

comment:6 by zacha81, 13 years ago

Resolution: wontfix
Status: closedreopened

As I can say, scooter4096 is correct with his problem description. If the password LENGTH differs, "message too big" will be shown and access to the cards will be denied (at least CCcam will not be able to descramble but it will "see" which cards I have. At least my cccam client was able to get one ecm handled before being disconnected too.

If the length of the password is correct but the password itself is incorrect e.g. "abcd" instead of "blah" the cccam client will gain access and can get it's ecms handled.

Tried this with oscam 1,0 build 4335 (amd64) and cccam 2.2.1 (ppc).

This is a serious security issue as a client who has a correct username will be able to guess the password easily.

Also I think a cccam client who has a wrong password should not be able to get the cards advertised anyway.

comment:7 by schlocke, 13 years ago

Resolution: fixed
Status: reopenedclosed

I think this is already fixed, please try with versions > 4600

Note: See TracTickets for help on using tickets.