Respondus v1.1.2 stores passwords using weak encryption

From: Desmond Irvine (desmond.irvineat_private)
Date: Thu Aug 23 2001 - 12:24:57 PDT

Next message: William D. Colburn (aka Schlake): "Re: Linux Kernel 2.2.x"

Previous message: Mihai PETROV: "RE: OWA over ssl shutting down IIS"
Next in thread: E. van Elk: "Re: Respondus v1.1.2 stores passwords using weak encryption"
Reply: E. van Elk: "Re: Respondus v1.1.2 stores passwords using weak encryption"
Reply: Philip Rowlands: "Re: Respondus v1.1.2 stores passwords using weak encryption"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Respondus Version 1.1.2 (7-26-2001) stores passwords using weak encryption.

Synopsis:

If you have Respondus remember your userid and password it will store them
in the WEBCT.SVR file in the "Respondus Projects" directory.  The information
is "encrypted" by taking the ASCII value of each password character and adding
it to a corresponding constant to get the value to store.  This is extremely 
simplistic and can easily be reversed as shown below:

WEBCT.SVR with No Userid / Password

  0: 08 00 00 00 01 00 00 00  88 72 74 71 87 3D 87 75
 10: 87 87 7B 84 45 82 83 7B  12 15 13 16 EC 10 2F 0D
 20: 92 6F 67 0F 14 15 13 9F  14 12 14 13 6D E1 57 16
 30: 6F E3 52 18 82 8A 2E 0E  14 0F 15 10 16 11 17 12
 40: 11 13 12 14 13 15 14 16  15 17 16 0D 17 0E 11 0F
 50: 12 10 13 11 14 12 15 13  16 14 17 15 31 1D 66 17
 60: 13 0D 14 0E 15 0F 16 10  17 11 11 12 D2 81 66 14
 70: 63 15 25 17 8A 11 31 0D  D9 02 64 0F 12 0F 13 10
 80: F5 0B 30 13 D7 82 64 15  89 7B 75 7A 88 0D 2F 0E
 90: DE 03 69 10 10 10 11 11  0B 0C 2E 14 D8 71 66 16
 A0: 4A 18 11 0D 15 13 14 9D  64 0E 68 11 0A 0B 31 13
 B0: 44 15 12 15 62 16 24 18  6D 07 30 0E 35 5B 61 10
 C0: 45 12 13 12 17 18 16 A2  16 15 17 16 11 17 12 0D
 D0: 13 0E 14 0F 15 10 16 11  17 12 11 13 12 14 13 15
 E0: 14 16 15 17 16 0D 17 0E  11 0F 12 10 13 11 14 12
 F0: 15 13 16 14 17 15 11 16  12 17 13 0D 14 0E 15 0F
100: 16 10 17 11 11 12 12 13  13 14 14 15 15 16 16 17
110: 17 0D 11 0E 12 0F 13 10  64 11 15 12 15 12 16 13
120: 11 15 12 16 68 67 99 48  15 0E 16 0F 18 10 11 11
130: 13 12 13 13 15 14 15 15

WEBCT.SVR with Userid / Password

  0: 08 00 00 00 01 00 00 00  88 72 74 71 87 3D 87 75
 10: 87 87 7B 84 45 82 83 7B  12 15 13 16 EC 10 2F 0D
 20: 92 6F 67 0F 14 15 13 9F  14 12 14 13 6D E1 57 16
 30: 6F E3 52 18 82 8A 2E 0E  14 0F 15 10 16 11 17 12
 40: 11 13 12 14 13 15 14 16  15 17 16 0D 17 0E 11 0F
 50: 12 10 13 11 14 12 15 13  16 14 17 15 31 1D 66 17
 60: 13 0D 14 0E 15 0F 16 10  17 11 11 12 D2 81 66 14
 70: 63 15 25 17 8A 11 31 0D  D9 02 64 0F 12 0F 13 10
 80: F5 0B 30 13 D7 82 64 15  89 7B 75 7A 88 0D 2F 0E
 90: DE 03 69 10 10 10 11 11  0B 0C 2E 14 D8 71 66 16
 A0: 4A 18 11 0D 15 13 14 9D  64 0E 68 11 0A 0B 31 13
 B0: 44 15 12 15 62 16 24 18  6D 07 30 0E 35 5B 61 10
 C0: 45 12 13 12 17 18 16 A2  8B 88 7C 88 7A 7B 12 0D
 D0: 13 0E 14 0F 15 10 16 11  17 12 11 13 12 14 13 15
 E0: 14 16 15 17 16 0D 17 0E  11 0F 12 10 13 11 14 12
 F0: 85 74 89 87 8E 84 83 7A  12 17 13 0D 14 0E 15 0F
100: 16 10 17 11 11 12 12 13  13 14 14 15 15 16 16 17
110: 17 0D 11 0E 12 0F 13 10  64 11 15 12 15 12 16 13
120: 11 15 12 16 68 67 99 48  15 0E 16 0F 18 10 11 11
130: 13 12 13 13 14 14 15 15

C8-EF = userid
F0-117 = password

To see the password in plain text subtract the value shown in the WEBCT.SVR
file with no info saved from the value in the same position in the file
with the info saved.  Stop when you reach the point where the values are
equal and the result is therefore 0.

i.e.

C8-EF 8B 88 7C 88 7A 7B 12 0D 13 0E 14 0F 15 10 16 11 17 12 11 13 12 14 13 15 14 16 15 17 16 0D 17 0E 11 0F 12 10 13 11 14 12
C8-EF 16 15 17 16 11 17 12 0D 13 0E 14 0F 15 10 16 11 17 12 11 13 12 14 13 15 14 16 15 17 16 0D 17 0E 11 0F 12 10 13 11 14 12
      75 73 65 72 69 64  0 <- stop
      u  s  e  r  i  d

F0-117 85 74 89 87 8E 84 83 7A 12 17 13 0D 14 0E 15 0F 16 10 17 11 11 12 12 13 13 14 14 15 15 16 16 17 17 0D 11 0E 12 0F 13 10
F0-117 15 13 16 14 17 15 11 16 12 17 13 0D 14 0E 15 0F 16 10 17 11 11 12 12 13 13 14 14 15 15 16 16 17 17 0D 11 0E 12 0F 13 10
       70 61 73 73 77 6F 72 64  0 <- stop
       p  a  s  s  w  o  r  d

The WEBCT.SVR file always uses the same default values so once you know them
on one machine you can use them to determine the userid and password stored in
any WEBCT.SVR file.

This is an improvement (I guess) from Version 1.0 where the password was stored
in the same file in the same position in plain text.  The password was also displayed
on the screen in plain text when entered in that version as well - the new version
now displays asterisks.

Work-around:

- uncheck "Remember my User Name and Password (save them on this computer)"
  you should have never checked it in the first place (even if it isn't a
  shared computer).

The vendor has been notified and is planning on addressing the issue in the future.

Next message: William D. Colburn (aka Schlake): "Re: Linux Kernel 2.2.x"
Previous message: Mihai PETROV: "RE: OWA over ssl shutting down IIS"
Next in thread: E. van Elk: "Re: Respondus v1.1.2 stores passwords using weak encryption"
Reply: E. van Elk: "Re: Respondus v1.1.2 stores passwords using weak encryption"
Reply: Philip Rowlands: "Re: Respondus v1.1.2 stores passwords using weak encryption"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Aug 23 2001 - 12:38:24 PDT