Respondus v1.1.2 stores passwords using weak encryption

Desmond Irvine desmond.irvine at sheridanc.on.ca
Thu Aug 23 19:28:53 GMT 2001


I thought it would be appropriate to post this here for those who don't
read bugtraq.

Respondus Version 1.1.2 (7-26-2001) stores passwords using weak
encryption.

Synopsis:

If you have Respondus remember your userid and password it will store
them
in the WEBCT.SVR file in the "Respondus Projects" directory.  The
information
is "encrypted" by taking the ASCII value of each password character and
adding
it to a corresponding constant to get the value to store.  This is
extremely 
simplistic and can easily be reversed as shown below:

WEBCT.SVR with No Userid / Password

  0: 08 00 00 00 01 00 00 00  88 72 74 71 87 3D 87 75
 10: 87 87 7B 84 45 82 83 7B  12 15 13 16 EC 10 2F 0D
 20: 92 6F 67 0F 14 15 13 9F  14 12 14 13 6D E1 57 16
 30: 6F E3 52 18 82 8A 2E 0E  14 0F 15 10 16 11 17 12
 40: 11 13 12 14 13 15 14 16  15 17 16 0D 17 0E 11 0F
 50: 12 10 13 11 14 12 15 13  16 14 17 15 31 1D 66 17
 60: 13 0D 14 0E 15 0F 16 10  17 11 11 12 D2 81 66 14
 70: 63 15 25 17 8A 11 31 0D  D9 02 64 0F 12 0F 13 10
 80: F5 0B 30 13 D7 82 64 15  89 7B 75 7A 88 0D 2F 0E
 90: DE 03 69 10 10 10 11 11  0B 0C 2E 14 D8 71 66 16
 A0: 4A 18 11 0D 15 13 14 9D  64 0E 68 11 0A 0B 31 13
 B0: 44 15 12 15 62 16 24 18  6D 07 30 0E 35 5B 61 10
 C0: 45 12 13 12 17 18 16 A2  16 15 17 16 11 17 12 0D
 D0: 13 0E 14 0F 15 10 16 11  17 12 11 13 12 14 13 15
 E0: 14 16 15 17 16 0D 17 0E  11 0F 12 10 13 11 14 12
 F0: 15 13 16 14 17 15 11 16  12 17 13 0D 14 0E 15 0F
100: 16 10 17 11 11 12 12 13  13 14 14 15 15 16 16 17
110: 17 0D 11 0E 12 0F 13 10  64 11 15 12 15 12 16 13
120: 11 15 12 16 68 67 99 48  15 0E 16 0F 18 10 11 11
130: 13 12 13 13 15 14 15 15

WEBCT.SVR with Userid / Password

  0: 08 00 00 00 01 00 00 00  88 72 74 71 87 3D 87 75
 10: 87 87 7B 84 45 82 83 7B  12 15 13 16 EC 10 2F 0D
 20: 92 6F 67 0F 14 15 13 9F  14 12 14 13 6D E1 57 16
 30: 6F E3 52 18 82 8A 2E 0E  14 0F 15 10 16 11 17 12
 40: 11 13 12 14 13 15 14 16  15 17 16 0D 17 0E 11 0F
 50: 12 10 13 11 14 12 15 13  16 14 17 15 31 1D 66 17
 60: 13 0D 14 0E 15 0F 16 10  17 11 11 12 D2 81 66 14
 70: 63 15 25 17 8A 11 31 0D  D9 02 64 0F 12 0F 13 10
 80: F5 0B 30 13 D7 82 64 15  89 7B 75 7A 88 0D 2F 0E
 90: DE 03 69 10 10 10 11 11  0B 0C 2E 14 D8 71 66 16
 A0: 4A 18 11 0D 15 13 14 9D  64 0E 68 11 0A 0B 31 13
 B0: 44 15 12 15 62 16 24 18  6D 07 30 0E 35 5B 61 10
 C0: 45 12 13 12 17 18 16 A2  8B 88 7C 88 7A 7B 12 0D
 D0: 13 0E 14 0F 15 10 16 11  17 12 11 13 12 14 13 15
 E0: 14 16 15 17 16 0D 17 0E  11 0F 12 10 13 11 14 12
 F0: 85 74 89 87 8E 84 83 7A  12 17 13 0D 14 0E 15 0F
100: 16 10 17 11 11 12 12 13  13 14 14 15 15 16 16 17
110: 17 0D 11 0E 12 0F 13 10  64 11 15 12 15 12 16 13
120: 11 15 12 16 68 67 99 48  15 0E 16 0F 18 10 11 11
130: 13 12 13 13 14 14 15 15

C8-EF = userid
F0-117 = password

To see the password in plain text subtract the value shown in the
WEBCT.SVR
file with no info saved from the value in the same position in the file
with the info saved.  Stop when you reach the point where the values are
equal and the result is therefore 0.

i.e.

C8-EF 8B 88 7C 88 7A 7B 12 0D 13 0E 14 0F 15 10 16 11 17 12 11 13 12 14
13 15 14 16 15 17 16 0D 17 0E 11 0F 12 10 13 11 14 12
C8-EF 16 15 17 16 11 17 12 0D 13 0E 14 0F 15 10 16 11 17 12 11 13 12 14
13 15 14 16 15 17 16 0D 17 0E 11 0F 12 10 13 11 14 12
      75 73 65 72 69 64  0 <- stop
      u  s  e  r  i  d

F0-117 85 74 89 87 8E 84 83 7A 12 17 13 0D 14 0E 15 0F 16 10 17 11 11 12
12 13 13 14 14 15 15 16 16 17 17 0D 11 0E 12 0F 13 10
F0-117 15 13 16 14 17 15 11 16 12 17 13 0D 14 0E 15 0F 16 10 17 11 11 12
12 13 13 14 14 15 15 16 16 17 17 0D 11 0E 12 0F 13 10
       70 61 73 73 77 6F 72 64  0 <- stop
       p  a  s  s  w  o  r  d

The WEBCT.SVR file always uses the same default values so once you know
them
on one machine you can use them to determine the userid and password
stored in
any WEBCT.SVR file.

This is an improvement (I guess) from Version 1.0 where the password was
stored
in the same file in the same position in plain text.  The password was
also displayed
on the screen in plain text when entered in that version as well - the
new version
now displays asterisks.

Work-around:

- uncheck "Remember my User Name and Password (save them on this
computer)"
  you should have never checked it in the first place (even if it isn't
a
  shared computer).

The vendor has been notified and is planning on addressing the issue in
the future.

-- 
Desmond Irvine                Security Analyst, Information Technology
Sheridan College              Phone: 905-845-9430 x2035
1430 Trafalgar Road           Fax: 905-815-4011
Oakville, ON  L6H 2L1         EMail: desmond.irvine at sheridanc.on.ca



More information about the unisog mailing list