Advisories : WINU 4/5 weak password vulnerability

main menu

- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news

discussions

- read forum
- new topic
- search

meetings

- meetings list
- recent additions
- add your info

top 100 sites

- visit top sites
- sign up now
- members

webmasters

- add your url
- add domain
- search box
- link to us

projects

- our projects
- free email

m4d network

- security software
- secureroot
- m4d.com

Home : Advisories : WINU 4/5 weak password vulnerability

Title:	WINU 4/5 weak password vulnerability
Released by:	Nu Omega Tau
Date:	18th August 2000
Printable version:	Click here

****************************************

* WINU 4/5 weak password vulnerability *

****************************************



WinU 4/5 weak password encryption leads to possible WinU administrator compromise



Introduction

============

As we all know is Windows 9X an OS without any (good/local) security. WinU (http://www.bardon.com) is one of the many programs who in trying to change this and in my opinion did the best job till now. But some things can still be improved, such as the password encryption...



Encryption - Version 4.X-5.0

============================

Up to version 5.0 the following password encryption algorythm is used:

154 - asciicode_of_character = encrypted_asciicode_of_character

in other words, for the letter "A" (ASCII 65) the formula would be

154 - 65 = 89

or

154 - ASCII(A) = ASCII(Y)

So the word WinU (ASCII 87, 105, 110, 85) would encrypt to: C1,E (ASCII 67, 49, 44, 69)

The encrypted string is then reversed (E,1C) to confuse a password cracker.

The encrypted password is then stored in the Windows registry:

HKEY_CLASSES_ROOT\WinU4\Config or HKEY_CLASSES_ROOT\WinU5\Config

The other program settings are also in the key, but the encrypted password is somewhere near the beginning, if it's a word you'll be able to recognise it if you just decrypt the entire string.



Encryption - Version 5.1

========================

Well... Bardon "fixed" it in version 5.1, instead of the

154 - asciicode_of_character = encrypted_asciicode_of_character formula

the following formula is used now:

asciicode_of_character + 101 = encrypted_asciicode_of_character



This only protects from passwords attacks where a canned program (like the infamous WinU4 hacker utilities) is used. The more advanced and/or determined cracker will search for the right algorythm and with the help of a text of the 4-5.0 algorythm he'll be able to crack it within minutes.



Other versions

==============

Versions earlier then 4.0 probably use the 4.X algorythm or a even weaker scheme.

I wasn't able to get version 5.02, it probably uses the 5.1 algorythm because it was released after I released the algorythm in public.



Possible fix

============

Use a non-reverseable encryption algorythm like DES or something or at least a little more complicated formula then + this or - that.



Conclusion

==========

This vurnerability makes WinU very insecure, lot's of computernetworks using WinU can be easy taken over, especially if they've got an easy to recognise password like "oliebollen" or something.

Checkout www.bardon.com for a list of WinU users... wow!...shit :)