• News
• Infocus
• Foundations
• Microsoft
• Unix
• IDS
• Incidents
• Virus
• Pen-Test
• Firewalls
• Columnists
• Mailing Lists
• Newsletters
• Bugtraq
• Focus on IDS
• Focus on Linux
• Focus on Microsoft
• Forensics
• Pen-test
• Security Basics
• Vuln Dev
• Vulnerabilities
• Jobs
• Job Opportunities
• Resumes
• Job Seekers
• Employers
• Tools
• RSS
• News
• Vulns
• Security Research

• info
• discussion
• exploit
• solution
• references

CryptoBuddy Unused Encryption Passphrase Vulnerability

A vulnerability has been reported for CryptoBuddy that may result in attackers intercepting and decoding encrypted information. The vulnerability exists because CryptoBuddy does not use the user-supplied passphrase to encrypt files. Instead, the passphrase is encrypted and stored at a known offset in the encrypted file. It is likely that the passphrase is tested and used to initiate the decryption of the data using the CryptoBuddy algorithm.

By modifying the contents of an encrypted file it is possible for an attacker to use their own encrypted passphrase to decrypt the contents. An attacker can exploit this vulnerability by creating a passphrase and replacing the passphrase located in an encrypted file, at a known offset, with their own. By using CryptoBuddy to decrypt the file, the attacker-supplied passphrase could then be supplied to initiate the decryption.

Exploitation of this vulnerability may result in the disclosure of sensitive information.