==[ PassWD2000 v2.x Weak Encryption Vulnerability ]===============
"Success does not consist in never making mistakes
but in never making the same one a second time"
--- George Bernard Shaw
Vulnerable:
PassWD2000 2.0
PassWD2000 2.1 (*)
PassWD2000 2.2 (*)
PassWD2000 2.3 (*)
PassWD2000 2.4 (*)
PassWD2000 2.5
PassWD2000 2.6
PassWD2000 2.7
PassWD2000 2.8
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows NT 4.0
- Microsoft Windows 2000
- Microsoft Windows ME
(*): Apparently never made it into a public release.
Not vulnerable:
Vendor:
Giordano Bigarelli <infoat_private>
http://www.passwd2000.com/
--[ Overview ]----------------------------------------------------
PassWD2000 is a password managment utility designed to store
login credentials to remote sites, local passwords or
registration details, or even credit card information.
Unfortunately, the vendors' understanding of encryption is a bit
different from mine. PassWD2000 is using an "encryption"
algorithm that is trivial to break, effectively giving an
attacker access to all login information stored within
PassWD2000 once he gains access to the password file.
PassWD2000 has received the ZDNet Editors' Pick award and other
share/freeware recommendations, and thus must be considered to
be in widespread use.
--[ Déjà vu? ]----------------------------------------------------
Think you heard all this before? Definately. Precisely one year
ago, which is coincidence, I published a similar problem of
predecessor PassWD v1.2; it used an even weaker "encryption"
algorithm. For details refer to BID 1300 at:
http://www.securityfocus.com/bid/1300
--[ Vendor Status ]-----------------------------------------------
Vendor is informed, and has decided to do nothing about this
issue. According to vendor, PassWD2000 never claimed so use
strong encryption, only "quite strong encryption". So there will
be no fix in versions 2.x. Subsequently, the vendor decided not
to inform about the issue, neither users nor distribution sites
of PassWD2000 are going to be informed by the vendor.
--[ Solution ]----------------------------------------------------
Don't use PassWD2000 2.x, and make sure none of your users or
admins do either. Period. According to the vendor, the upcoming
3.x release of PassWD2000 will use Blowfish to protect the data.
--[ Technical Details ]-------------------------------------------
PassWD2000 stores all login credentials along with the access
password and a bunch of other things in .PEF files. PEF stands
for PassWD Encrypted Format.
Basically it uses a simple exclusive or with a 128 bit key. It
randomly generates a 128 bit session key, which is used to
encrypt the header and data of the PEF file. It stores this
session key xored to a fixed master key in front of the
encrypted header within the PEF file.
So what you do is xor the fixed master key with the first 128
bits of the file to reveal the session key. Then use the session
key to decrypt the header and data of the file. Only pitfall to
avoid is that header and data are encrypted seperately (reset
key offset).
--[ Proof of Concept ]--------------------------------------------
I've written the decoder for PassWD2000 v2.x PEF files. It has
grown with my knowledge of the file format, thus is very ugly
code indeed, and probably unportable (compiles with gcc-2.95.2).
It should illustrate how to decode a PEF file though.
--[ Afterword ]---------------------------------------------------
If you copy this text or reuse any part of it, please give due
credit (and let me know about it).
Copyright (C) 2001 by Daniel Roethlisberger <danielat_private>.
This archive was generated by hypermail 2b30 : Tue Jun 05 2001 - 12:08:53 PDT