Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » Weak Password Encryption Scheme in Integrated Dialer

Weak Password Encryption Scheme in Integrated Dialer

by Nikola Strahija on November 2nd, 2002 [Note to Moderator: This vulnerability would probably affect only the 500,000 or so Indian subscribers of the Indian ISP - VSNL. But there being no India-specific forum to post bugs we are posting it here.]


========================================
Name: Integrated Dialer Software for VSNL
Version: 1.2.000
Systems: All Windows Platforms
Severity: Medium
Type: Weak Password Encryption Scheme
Vendor: VSNL http://internet.vsnl.com
Author: Arjun Pednekar [email protected]
Advisory URL: http://www.nii.co.in/vuln/idvsnl.html
Network Intelligence India Pvt. Ltd. http://www.nii.co.in
========================================


Description:
========
VSNL is one of India's largest Internet Service Providers. It provides its
subscribers with an Integrated Dialer, which is a sort of replacement to
Windows Dial-up Networking. This Dialer is available for free download from
its website http://internet.vsnl.net.in/dialer/vsnlsetup.exe. The
(dis)advantage of the Integrated Dialer is that it shows streaming ads while
the user is surfing.

The Integrated Dialer comes with the option where-in the user can check the
option "Save Password", so that he need not enter the password again.
However, the algorithm used to encrypt and store the password is very weak
and can be easily decrypted as shown below.


Impact:
=====
The weakly encrypted password is one which is used by users to connect to
VSNL for Internet access, as well as to authenticate to their email account.
Any compromise of this password would mean their Internet account being
stolen as well as their emails being compromised. However, to decrypt the
password, local registry access would be required.


Details:
======
The encryption algorithm uses a simple one-to-one mapping technique which
can easily be deciphered. The encryted password is stored in the follow
registry key, which is constant on all windows platforms:

Hive: HKEY_LOCAL_MACHINESOFTWARE
Key : VSNL.COMDialerConfig
Name: Password
Type: REG_SZ

The array used to map the password-to-encrypted data is given below:

abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ`[email protected]#4$5%6^7&8*9(0)-_
=+|[{]}};:',<.>/?

During encryption, the above characters are mapped one-to-one with the below
array.

[email protected]#$%^&*()_+1234567890-=[{]}};:`,<.>/?aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRs
StTuUvVwWxXyYzZZA

For decryption, a simple reverse mapping is carried out.


PoC Decryption Utility:
================
We have coded a simple utility in Assembly code to demonstrate the
encyrption/decrytion routine. You can download it along with the source code
from http://www.nii.co.in/vuln/idvsnl.html


Vendor Response and Timeline:
======================
21 Oct 2002: Email sent to vendor about the vulnerability
28 Oct 2002: Reminder email sent as per our Vulnerability Disclosure Policy
(http://www.nii.co.in/vdp.html)
1st Nov 2002: Advisory posted
We decided to go ahead and post this advisory, since no vendor response was
forthcoming even after repeated emails.


Workarounds:
==========
Do not use the Save As option in the Dialer. If you were using that option
earlier, delete the registry key mentioned above. Better still use good old
DUN instead.


Sincerely,

Arjun Pednekar,
Systems Security Analyst
Network Intelligence India Pvt. Ltd.,
Email: [email protected]
Web: http://www.nii.co.in
Phone: 91-22-2001530 / 2006019


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »