I monitored the client-server communication for quite some time and I realized that after issuing a configuration change at the server, a special HTTP request is sent from the server to the TCP/61832 port of the client.
This is a simple GET request in the form of: As you can see, this algorithm is basically a simple polyalphabetic cipher (similar to the Vigenere cipher), that I could easily recreate independently from the original library: after running a quick loop that encrypted 1KB strings of all printable characters (1024 times ‘A’, 1024 times ‘B’, etc.), I had a database that could be used to encrypt and decrypt virtually anything.
I focused my research on the clients as these are widely deployed on a typical network.
After installing a trial version (10.6 SP1) I could already tell that this software will worth the effort: And there are possibly many other fragile parts of the system.
MD5 can be effectively brute-forced, so this is definitely bad, not to mention that the proxy password can be retrieved in plain text.
But this is not really high impact, so I dug further.
Analyzing the security of security software is one of my favorite research areas: it is always ironic to see software originally meant to protect your systems open a gaping door for the attackers.
Earlier this year I stumbled upon the Office Scan security suite by Trend Micro, a probably lesser known host protection solution (AV) still used at some interesting networks.