Xircom REX6000 PDA Password Retrieval

From: Daniel Jonsson (daniel2at_private)
Date: Fri Nov 23 2001 - 05:38:24 PST

Next message: Thomas Biege: "SuSE Security Announcement: cyrus-sasl (SuSE-SA:2001:042)"

Previous message: Leif Nixon: "Secure Computing SafeWord uses vulnerable ssh server"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

>>Security Advisory<<
                                 
TITLE          : XIRCOM REX6000 PDA Password Retrieval
REVISION       : 1
CLASS          : Password Retrieval
VENDOR         : Xircom (now Intel)
CREDIT         : Daniel Jonsson <daniel2at_private>
STATUS         : 
PLATFORM(S)    : 
VULNERABLE     : Xircom REX6000 MicroPDA
       CREATED : 2001-11-23
  LAST UPDATED : 2001-11-23
VENDOR CONTACT : Not Contacted
       RELEASE : 2001-11-23

DESCRIPTION
  The Xircom REX6000 PCMCIA PDA can be protected with up to
  a 10 digit PIN-code that needs to be entered via the
  touchscreen every time the PDA is powered on if using the
  highest security level. After entering a correct code every
  data stored on the PDA is available for access. Memos marked
  Private needs the same PIN code again to be entered everytime
  they are accessed. The manual states clearly that "PIN code is
  to protect the data"
  
  However the PIN Code protection structure built into the
  REX6000 PDA makes this secret PIN Code useless for protecting
  any type of data. Using the included REXTOOLS program the user
  can copy/paste/change the PDA information via a computer.
  The REXTOOLS and the REX6000 PDA uses serial (COMx) for
  communication. The REXTOOLS program correctly asks for the
  PIN Code when trying to access the PDA and prevents
  information from being shown in the program if the PIN Code
  is incorrect. However the verification of the PIN Code is
  done by the REXTOOLS program, and here lies the PIN Code
  structure flaw. By using a serial monitor program to listen
  to the communications between the REXTOOLS and the PDA the PIN
  Code will be send in cleartext from the PDA to REXTOOLS after
  some initial communication, just before REXTOOLS prompts for
  the PIN Code and verifies that the one entered is the same as
  the one received from the PDA.
  
  In short, every PIN Code protected REX6000 PDA can get
  compromised by just starting a serial monitor, and then connect
  to the PDA using REXTOOLS, read the cleartext PIN Code send
  from the PDA and enter it when REXTOOLS asks for that PIN
  Code, or by simply eject the PCMCIA REX6000 PDA and enter the
  PIN Code via the touchscreen.
  
CONDITION
  The need of a serial monitor program, a protected REX6000 PDA
  and the Xircom REXTOOLS program downloadable from the internet.

EXAMPLE
  No example needed
  
PROOF OF CONCEPT
  No proof of concept needed
  
SOLUTION/VENDOR INFORMATION/WORKAROUND
  Vendor not contacted

(C) Copyright 2001

Next message: Thomas Biege: "SuSE Security Announcement: cyrus-sasl (SuSE-SA:2001:042)"
Previous message: Leif Nixon: "Secure Computing SafeWord uses vulnerable ssh server"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Nov 23 2001 - 14:55:32 PST