[NT] Respondus Stores Passwords Using Weak Encryption Methods

From: support@securiteam.com
Date: 08/30/01 

From: support@securiteam.com
To: list@securiteam.com
Subject: [NT] Respondus Stores Passwords Using Weak Encryption Methods
Message-Id: <20010830173255.450DC138BF@mail.der-keiler.de>
Date: Thu, 30 Aug 2001 19:32:55 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Respondus Stores Passwords Using Weak Encryption Methods
------------------------------------------------------------------------

SUMMARY

 <http://www.respondus.com/products/index.shtml> Respondus is an
application that enhances the functionality and usability of WebCT's quiz,
survey, and self-test tools. The product utilizes a weak encryption
algorithm that makes the passwords stored in it easily recoverable.

DETAILS

Vulnerable systems:
Respondus version 1.1.2

Telling Respondus to remember your userid and password will cause the
product to store them in the WEBCT.SVR file in the "Respondus Projects"
directory. The information is "encrypted" by taking the ASCII value of
each password character and adding it to a corresponding constant to get
the value to store. This is extremely simple and can easily be reversed
as shown below:

WEBCT.SVR with No Userid / Password

  0: 08 00 00 00 01 00 00 00 88 72 74 71 87 3D 87 75
 10: 87 87 7B 84 45 82 83 7B 12 15 13 16 EC 10 2F 0D
 20: 92 6F 67 0F 14 15 13 9F 14 12 14 13 6D E1 57 16
 30: 6F E3 52 18 82 8A 2E 0E 14 0F 15 10 16 11 17 12
 40: 11 13 12 14 13 15 14 16 15 17 16 0D 17 0E 11 0F
 50: 12 10 13 11 14 12 15 13 16 14 17 15 31 1D 66 17
 60: 13 0D 14 0E 15 0F 16 10 17 11 11 12 D2 81 66 14
 70: 63 15 25 17 8A 11 31 0D D9 02 64 0F 12 0F 13 10
 80: F5 0B 30 13 D7 82 64 15 89 7B 75 7A 88 0D 2F 0E
 90: DE 03 69 10 10 10 11 11 0B 0C 2E 14 D8 71 66 16
 A0: 4A 18 11 0D 15 13 14 9D 64 0E 68 11 0A 0B 31 13
 B0: 44 15 12 15 62 16 24 18 6D 07 30 0E 35 5B 61 10
 C0: 45 12 13 12 17 18 16 A2 16 15 17 16 11 17 12 0D
 D0: 13 0E 14 0F 15 10 16 11 17 12 11 13 12 14 13 15
 E0: 14 16 15 17 16 0D 17 0E 11 0F 12 10 13 11 14 12
 F0: 15 13 16 14 17 15 11 16 12 17 13 0D 14 0E 15 0F
100: 16 10 17 11 11 12 12 13 13 14 14 15 15 16 16 17
110: 17 0D 11 0E 12 0F 13 10 64 11 15 12 15 12 16 13
120: 11 15 12 16 68 67 99 48 15 0E 16 0F 18 10 11 11
130: 13 12 13 13 15 14 15 15

WEBCT.SVR with Userid / Password

  0: 08 00 00 00 01 00 00 00 88 72 74 71 87 3D 87 75
 10: 87 87 7B 84 45 82 83 7B 12 15 13 16 EC 10 2F 0D
 20: 92 6F 67 0F 14 15 13 9F 14 12 14 13 6D E1 57 16
 30: 6F E3 52 18 82 8A 2E 0E 14 0F 15 10 16 11 17 12
 40: 11 13 12 14 13 15 14 16 15 17 16 0D 17 0E 11 0F
 50: 12 10 13 11 14 12 15 13 16 14 17 15 31 1D 66 17
 60: 13 0D 14 0E 15 0F 16 10 17 11 11 12 D2 81 66 14
 70: 63 15 25 17 8A 11 31 0D D9 02 64 0F 12 0F 13 10
 80: F5 0B 30 13 D7 82 64 15 89 7B 75 7A 88 0D 2F 0E
 90: DE 03 69 10 10 10 11 11 0B 0C 2E 14 D8 71 66 16
 A0: 4A 18 11 0D 15 13 14 9D 64 0E 68 11 0A 0B 31 13
 B0: 44 15 12 15 62 16 24 18 6D 07 30 0E 35 5B 61 10
 C0: 45 12 13 12 17 18 16 A2 8B 88 7C 88 7A 7B 12 0D
 D0: 13 0E 14 0F 15 10 16 11 17 12 11 13 12 14 13 15
 E0: 14 16 15 17 16 0D 17 0E 11 0F 12 10 13 11 14 12
 F0: 85 74 89 87 8E 84 83 7A 12 17 13 0D 14 0E 15 0F
100: 16 10 17 11 11 12 12 13 13 14 14 15 15 16 16 17
110: 17 0D 11 0E 12 0F 13 10 64 11 15 12 15 12 16 13
120: 11 15 12 16 68 67 99 48 15 0E 16 0F 18 10 11 11
130: 13 12 13 13 14 14 15 15

C8-EF = userid
F0-117 = password

To see the password in plain text subtract the value shown in the
WEBCT.SVR file with no info saved from the value in the same position in
the file with the info saved. Stop when you reach the point where the
values are equal and the result is therefore 0.

Example:
C8-EF 8B 88 7C 88 7A 7B 12 0D 13 0E 14 0F 15 10 16 11 17 12 11 13 12 14 13
15 14 16 15 17 16
0D 17 0E 11 0F 12 10 13 11 14 12 C8-EF 16 15 17 16 11 17 12 0D 13 0E 14 0F
15 10 16 11 17 12
11 13 12 14 13 15 14 16 15 17 16 0D 17 0E 11 0F 12 10 13 11 14 12 75 73 65
72 69 64 0 <- stop u s e r i d

F0-117 85 74 89 87 8E 84 83 7A 12 17 13 0D 14 0E 15 0F 16 10 17 11 11 12
12 13 13 14 14 15 15
16 16 17 17 0D 11 0E 12 0F 13 10 F0-117 15 13 16 14 17 15 11 16 12 17 13
0D 14 0E 15 0F 16 10
17 11 11 12 12 13 13 14 14 15 15 16 16 17 17 0D 11 0E 12 0F 13 10 70 61 73
73 77 6F 72 64 0 <- stop p a s s w o r d

The WEBCT.SVR file always uses the same default values so once you know
them on one machine you can use them to determine the userid and password
stored in any WEBCT.SVR file.

This is an improvement from Version 1.0 where the password was stored in
the same file in the same position in plain text. The password was also
displayed on the screen in plain text when entered in that version as well
- the new version now displays asterisks.

Workaround:
 - Uncheck "Remember my User Name and Password (save them on this
computer)".

Vendor status:
The vendor has been notified and is planning to address the issue in the
future.

ADDITIONAL INFORMATION

The information has been provided by
<mailto:desmond.irvine@sheridanc.on.ca> Desmond Irvine.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.