[NT] NewsReactor Encryption Scheme Cracked

From: support@securiteam.com
Date: 01/22/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Tue, 22 Jan 2002 17:40:48 +0100 (CET)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  NewsReactor Encryption Scheme Cracked
------------------------------------------------------------------------

SUMMARY

 <http://www.daansystems.com/newsreactor/> NewsReactor is a tool to
download binaries from Usenet newsgroups. The product stores the user's
password in an unsafe manner that allows attackers to retrieve the plain
text version of the "encrypted" passwords.

DETAILS

NewsReactor stores your passwords in the NewsReactor.ini file with poor
encryption. Each character is simply 64 characters up the ASCII table from
that character itself.

Exploit:
Here is a simple VB code to "decrypt" the password:
'Note: Your password is located after the "Server0PassWord=" (for example)
in the NewsReactor.ini file.

Private Sub Form_Load()
Dim YourPass As String, PrintPass As String
YourPass = InputBox("Enter in the encrypted password below.")
For x = 1 To Len(YourPass)
    PrintPass = PrintPass & Chr(Asc(Mid(YourPass, x, 1)) - 64)
Next
MsgBox "Password: " & PrintPass
End
End Sub

ADDITIONAL INFORMATION

The information has been provided by <mailto:Adi@Rogers.com> Adi Feldman.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages

  • Re: Help secure my data (They will steal my drive)
    ... but it supports strong password-based encryption and can be ... printable ascii characters about 6.5 bit per character. ... In case your passphrase is not trivial it's much more likely an attacker ... will try to recover plaintext from swap files/virtual memory and from ...
    (sci.crypt)
  • Re: Defeating keyloggers with encrypted one time passwords (a patent spoiler?)
    ... > TIME PASSWORDS and more precisely an A4 sized paper full of them and ... > but just so little that the user can easily remove the encryption. ... > - remove two first character of each password ... The paper method also works well without the decryption instructions. ...
    (sci.crypt)
  • Re: Converting Commodore text files to The Numerica Format?
    ... >> byte for every character. ... The fun starts if you use a more complex ... > ago I ported a QBasic encryption program to C128 BASIC 7.0 If Paul is ... > Encryption is really pretty secure using the program I converted. ...
    (comp.sys.cbm)
  • Re: simple string encryption
    ... which seems to be a fast and small xor encryption algorithm. ... string into a textbox and then read the string from the textbox ... The reason is because strings in VB use two bytes per character and your code, as it stands, is messing about with both bytes of each character. ...
    (microsoft.public.vb.general.discussion)
  • Re: Encryption algorithm
    ... > character alphanumeric string in a COBOL program. ... consider these "obscuring" rather than "encryption", ... that you run the string through the same algorithm to encode and decode. ... This has the advantage of working with pretty much any character you'd ...
    (comp.lang.cobol)