WinU 4/5 weak password encryption leads to system compromise
21 Aug. 2000
Summary
Windows 9x is not very secure by default, and WinU is one of the many programs trying to make Windows much more secure. But even this product, that focuses on providing security has been found to contain security faults, one such problem is its password encryption algorithm.
Credit:
The information has been provided by Nu Omega Tau.
Versions 4.X-5.0
Up to version 5.0 the following password encryption algorithm is used:
154 - asciicode_of_character = encrypted_asciicode_of_character
In other words, for the letter "A" (ASCII 65) the formula would be 154 - 65 = 89 or 154 - ASCII(A) = ASCII(Y)
So the word WinU (ASCII 87, 105, 110, 85) would encrypt to: C1,E (ASCII 67, 49, 44, 69). The encrypted string is then reversed (E,1C) to confuse a possible password cracker. The encrypted password is then stored in the Windows registry:
HKEY_CLASSES_ROOT\WinU4\Config or HKEY_CLASSES_ROOT\WinU5\Config
The other program settings are also in the key, but the encrypted password is somewhere near the beginning. Since the algorithm is not position dependant it's possible to decrypt the whole string and spot the password inside the decrypted string.
Version 5.1
Bardon "fixed" this in version 5.1. Instead of the 154 - asciicode_of_character = encrypted_asciicode_of_character formula, the following formula is now used:
asciicode_of_character + 101 = encrypted_asciicode_of_character
This only protects from passwords attacks where a canned program (like the infamous WinU4 hacker utilities) is used. The more advanced and/or determined cracker will search for the right algorithm and with the help of a text of the previous algorithm he'll be able to crack it within minutes.
Possible fix:
Bardon should use a non-reversible encryption algorithm like DES.
