[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
- read forum
- new topic
- search

- meetings list
- recent additions
- add your info
 top 100 sites
- visit top sites
- sign up now
- members

- add your url
- add domain
- search box
- link to us

- our projects
- free email
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : WINU 4/5 weak password vulnerability

Title: WINU 4/5 weak password vulnerability
Released by: Nu Omega Tau
Date: 18th August 2000
Printable version: Click here

* WINU 4/5 weak password vulnerability *


WinU 4/5 weak password encryption leads to possible WinU administrator compromise



As we all know is Windows 9X an OS without any (good/local) security. WinU (http://www.bardon.com) is one of the many programs who in trying to change this and in my opinion did the best job till now. But some things can still be improved, such as the password encryption...

Encryption - Version 4.X-5.0


Up to version 5.0 the following password encryption algorythm is used:

154 - asciicode_of_character = encrypted_asciicode_of_character

in other words, for the letter "A" (ASCII 65) the formula would be

154 - 65 = 89


154 - ASCII(A) = ASCII(Y)

So the word WinU (ASCII 87, 105, 110, 85) would encrypt to: C1,E (ASCII 67, 49, 44, 69)

The encrypted string is then reversed (E,1C) to confuse a password cracker.

The encrypted password is then stored in the Windows registry:


The other program settings are also in the key, but the encrypted password is somewhere near the beginning, if it's a word you'll be able to recognise it if you just decrypt the entire string.

Encryption - Version 5.1


Well... Bardon "fixed" it in version 5.1, instead of the

154 - asciicode_of_character = encrypted_asciicode_of_character formula

the following formula is used now:

asciicode_of_character + 101 = encrypted_asciicode_of_character

This only protects from passwords attacks where a canned program (like the infamous WinU4 hacker utilities) is used. The more advanced and/or determined cracker will search for the right algorythm and with the help of a text of the 4-5.0 algorythm he'll be able to crack it within minutes.

Other versions


Versions earlier then 4.0 probably use the 4.X algorythm or a even weaker scheme.

I wasn't able to get version 5.02, it probably uses the 5.1 algorythm because it was released after I released the algorythm in public.

Possible fix


Use a non-reverseable encryption algorythm like DES or something or at least a little more complicated formula then + this or - that.



This vurnerability makes WinU very insecure, lot's of computernetworks using WinU can be easy taken over, especially if they've got an easy to recognise password like "oliebollen" or something.

Checkout www.bardon.com for a list of WinU users... wow!...shit :)

(C) 1999-2000 All rights reserved.