Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: Apps :: respon~1.htm

Respondus v1.1.2 weak encryption



COMMAND

    Respondus

SYSTEMS AFFECTED

    Respondus v1.1.2

PROBLEM

    Desmond Irvine found  following.  If  you have Respondus  remember
    your userid and password it will store them in the WEBCT.SVR  file
    in  the  "Respondus  Projects"  directory.   The  information   is
    "encrypted" by taking the  ASCII value of each  password character
    and adding  it to  a corresponding  constant to  get the  value to
    store.  This  is extremely simplistic  and can easily  be reversed
    as shown below:

        WEBCT.SVR with No Userid / Password
        
          0: 08 00 00 00 01 00 00 00  88 72 74 71 87 3D 87 75
         10: 87 87 7B 84 45 82 83 7B  12 15 13 16 EC 10 2F 0D
         20: 92 6F 67 0F 14 15 13 9F  14 12 14 13 6D E1 57 16
         30: 6F E3 52 18 82 8A 2E 0E  14 0F 15 10 16 11 17 12
         40: 11 13 12 14 13 15 14 16  15 17 16 0D 17 0E 11 0F
         50: 12 10 13 11 14 12 15 13  16 14 17 15 31 1D 66 17
         60: 13 0D 14 0E 15 0F 16 10  17 11 11 12 D2 81 66 14
         70: 63 15 25 17 8A 11 31 0D  D9 02 64 0F 12 0F 13 10
         80: F5 0B 30 13 D7 82 64 15  89 7B 75 7A 88 0D 2F 0E
         90: DE 03 69 10 10 10 11 11  0B 0C 2E 14 D8 71 66 16
         A0: 4A 18 11 0D 15 13 14 9D  64 0E 68 11 0A 0B 31 13
         B0: 44 15 12 15 62 16 24 18  6D 07 30 0E 35 5B 61 10
         C0: 45 12 13 12 17 18 16 A2  16 15 17 16 11 17 12 0D
         D0: 13 0E 14 0F 15 10 16 11  17 12 11 13 12 14 13 15
         E0: 14 16 15 17 16 0D 17 0E  11 0F 12 10 13 11 14 12
         F0: 15 13 16 14 17 15 11 16  12 17 13 0D 14 0E 15 0F
        100: 16 10 17 11 11 12 12 13  13 14 14 15 15 16 16 17
        110: 17 0D 11 0E 12 0F 13 10  64 11 15 12 15 12 16 13
        120: 11 15 12 16 68 67 99 48  15 0E 16 0F 18 10 11 11
        130: 13 12 13 13 15 14 15 15
        
        WEBCT.SVR with Userid / Password
        
          0: 08 00 00 00 01 00 00 00  88 72 74 71 87 3D 87 75
         10: 87 87 7B 84 45 82 83 7B  12 15 13 16 EC 10 2F 0D
         20: 92 6F 67 0F 14 15 13 9F  14 12 14 13 6D E1 57 16
         30: 6F E3 52 18 82 8A 2E 0E  14 0F 15 10 16 11 17 12
         40: 11 13 12 14 13 15 14 16  15 17 16 0D 17 0E 11 0F
         50: 12 10 13 11 14 12 15 13  16 14 17 15 31 1D 66 17
         60: 13 0D 14 0E 15 0F 16 10  17 11 11 12 D2 81 66 14
         70: 63 15 25 17 8A 11 31 0D  D9 02 64 0F 12 0F 13 10
         80: F5 0B 30 13 D7 82 64 15  89 7B 75 7A 88 0D 2F 0E
         90: DE 03 69 10 10 10 11 11  0B 0C 2E 14 D8 71 66 16
         A0: 4A 18 11 0D 15 13 14 9D  64 0E 68 11 0A 0B 31 13
         B0: 44 15 12 15 62 16 24 18  6D 07 30 0E 35 5B 61 10
         C0: 45 12 13 12 17 18 16 A2  8B 88 7C 88 7A 7B 12 0D
         D0: 13 0E 14 0F 15 10 16 11  17 12 11 13 12 14 13 15
         E0: 14 16 15 17 16 0D 17 0E  11 0F 12 10 13 11 14 12
         F0: 85 74 89 87 8E 84 83 7A  12 17 13 0D 14 0E 15 0F
        100: 16 10 17 11 11 12 12 13  13 14 14 15 15 16 16 17
        110: 17 0D 11 0E 12 0F 13 10  64 11 15 12 15 12 16 13
        120: 11 15 12 16 68 67 99 48  15 0E 16 0F 18 10 11 11
        130: 13 12 13 13 14 14 15 15
        
        C8-EF = userid
        F0-117 = password

    To see the password in plain text subtract the value shown in  the
    WEBCT.SVR  file  with  no  info  saved  from the value in the same
    position in the  file with the  info saved.   Stop when you  reach
    the point where the values  are equal and the result  is therefore
    0.  i.e.

        C8-EF 8B 88 7C 88 7A 7B 12 0D 13 0E 14 0F 15 10 16 11 17 12 11 13 12 14 13 15 14 16 15 17 16 0D 17 0E 11 0F 12 10 13 11 14 12
        C8-EF 16 15 17 16 11 17 12 0D 13 0E 14 0F 15 10 16 11 17 12 11 13 12 14 13 15 14 16 15 17 16 0D 17 0E 11 0F 12 10 13 11 14 12
              75 73 65 72 69 64  0 <- stop
              u  s  e  r  i  d
        
        F0-117 85 74 89 87 8E 84 83 7A 12 17 13 0D 14 0E 15 0F 16 10 17 11 11 12 12 13 13 14 14 15 15 16 16 17 17 0D 11 0E 12 0F 13 10
        F0-117 15 13 16 14 17 15 11 16 12 17 13 0D 14 0E 15 0F 16 10 17 11 11 12 12 13 13 14 14 15 15 16 16 17 17 0D 11 0E 12 0F 13 10
               70 61 73 73 77 6F 72 64  0 <- stop
               p  a  s  s  w  o  r  d

    The WEBCT.SVR  file always  uses the  same default  values so once
    you know them  on one machine  you can use  them to determine  the
    userid and password stored in any WEBCT.SVR file.

    This is  an improvement  from Version  1.0 where  the password was
    stored in the same file in  the same position in plain text.   The
    password  was  also  displayed  on  the  screen in plain text when
    entered in  that version  as well  - the  new version now displays
    asterisks.

    It's not  only Respondus,  but many  other programs  that needs to
    store passwords for,  let's say, FTP  access that use  a very weak
    encryption  system.    Two   examples  recently   discovered   are
    UltraEdit v8.x and  CuteFtp v4.2.   Both use a  very weak encoding
    system to  store passwords  for the  FTP accounts.   CuteFtp  uses
    quite  a  weak  system,  but  when  using  a password for the site
    manager, the sm.dat file is  encrypted and it makes access  to the
    encrypted passwords a little harder..

SOLUTION

    Uncheck "Remember  my User  Name and  Password (save  them on this
    computer)" you  should have  never checked  it in  the first place
    (even  if  it  isn't  a  shared  computer).   The  vendor has been
    notified and is planning on addressing the issue in the future.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH