Bardon Data Systems WinU Weak Encrypted Password Vulnerability
BID:1741
Info
Bardon Data Systems WinU Weak Encrypted Password Vulnerability
| Bugtraq ID: | 1741 |
| Class: | Design Error |
| CVE: |
CVE-2000-0789 |
| Remote: | Yes |
| Local: | Yes |
| Published: | Aug 16 2000 12:00AM |
| Updated: | Jul 11 2009 03:56AM |
| Credit: | Posted to Bugtraq on August 16, 2000 by Nu Omega Tau <[email protected]>. |
| Vulnerable: |
Bardon Data Systems WinU 5.1 |
| Not Vulnerable: | |
Discussion
Bardon Data Systems WinU Weak Encrypted Password Vulnerability
Bardon Data Systems WinU is a full Windows 95/98/NT user interface replacement with added security features.
Versions of WinU prior to 5.2 utilizes a weak encryption scheme to encode its administrative password. The password is stored under HKEY_CLASSES_ROOT\WinU4\Config or HKEY_CLASSES_ROOT\WinU5\Config (depending on the version).
For versions 4.x - 5.0 of WinU, the encryption formula is as follows:
154 - ascii code value = encrypted value
Therefore, the letter "A" whose ascii code value is 65 would appear as 89 in encrypted form. The password is then reversed to further obfuscate the original value.
For version 5.1 of WinU, the encryption formula is as follows:
ascii code value + 101 = encrypted value
Deciphering the administrative password would yield full control over the WinU interface.
Bardon Data Systems WinU is a full Windows 95/98/NT user interface replacement with added security features.
Versions of WinU prior to 5.2 utilizes a weak encryption scheme to encode its administrative password. The password is stored under HKEY_CLASSES_ROOT\WinU4\Config or HKEY_CLASSES_ROOT\WinU5\Config (depending on the version).
For versions 4.x - 5.0 of WinU, the encryption formula is as follows:
154 - ascii code value = encrypted value
Therefore, the letter "A" whose ascii code value is 65 would appear as 89 in encrypted form. The password is then reversed to further obfuscate the original value.
For version 5.1 of WinU, the encryption formula is as follows:
ascii code value + 101 = encrypted value
Deciphering the administrative password would yield full control over the WinU interface.
Exploit / POC
Bardon Data Systems WinU Weak Encrypted Password Vulnerability
See discussion.
See discussion.
Solution / Fix
Bardon Data Systems WinU Weak Encrypted Password Vulnerability
Solution:
Currently the SecurityFocus staff are not aware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
Solution:
Currently the SecurityFocus staff are not aware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
References
Bardon Data Systems WinU Weak Encrypted Password Vulnerability
References:
References:
- WinU Product Homepage (Bardon Data Systems)