COMMAND
Respondus
SYSTEMS AFFECTED
Respondus v1.1.2
PROBLEM
Desmond Irvine found following. If you have Respondus remember
your userid and password it will store them in the WEBCT.SVR file
in the "Respondus Projects" directory. The information is
"encrypted" by taking the ASCII value of each password character
and adding it to a corresponding constant to get the value to
store. This is extremely simplistic and can easily be reversed
as shown below:
WEBCT.SVR with No Userid / Password
0: 08 00 00 00 01 00 00 00 88 72 74 71 87 3D 87 75
10: 87 87 7B 84 45 82 83 7B 12 15 13 16 EC 10 2F 0D
20: 92 6F 67 0F 14 15 13 9F 14 12 14 13 6D E1 57 16
30: 6F E3 52 18 82 8A 2E 0E 14 0F 15 10 16 11 17 12
40: 11 13 12 14 13 15 14 16 15 17 16 0D 17 0E 11 0F
50: 12 10 13 11 14 12 15 13 16 14 17 15 31 1D 66 17
60: 13 0D 14 0E 15 0F 16 10 17 11 11 12 D2 81 66 14
70: 63 15 25 17 8A 11 31 0D D9 02 64 0F 12 0F 13 10
80: F5 0B 30 13 D7 82 64 15 89 7B 75 7A 88 0D 2F 0E
90: DE 03 69 10 10 10 11 11 0B 0C 2E 14 D8 71 66 16
A0: 4A 18 11 0D 15 13 14 9D 64 0E 68 11 0A 0B 31 13
B0: 44 15 12 15 62 16 24 18 6D 07 30 0E 35 5B 61 10
C0: 45 12 13 12 17 18 16 A2 16 15 17 16 11 17 12 0D
D0: 13 0E 14 0F 15 10 16 11 17 12 11 13 12 14 13 15
E0: 14 16 15 17 16 0D 17 0E 11 0F 12 10 13 11 14 12
F0: 15 13 16 14 17 15 11 16 12 17 13 0D 14 0E 15 0F
100: 16 10 17 11 11 12 12 13 13 14 14 15 15 16 16 17
110: 17 0D 11 0E 12 0F 13 10 64 11 15 12 15 12 16 13
120: 11 15 12 16 68 67 99 48 15 0E 16 0F 18 10 11 11
130: 13 12 13 13 15 14 15 15
WEBCT.SVR with Userid / Password
0: 08 00 00 00 01 00 00 00 88 72 74 71 87 3D 87 75
10: 87 87 7B 84 45 82 83 7B 12 15 13 16 EC 10 2F 0D
20: 92 6F 67 0F 14 15 13 9F 14 12 14 13 6D E1 57 16
30: 6F E3 52 18 82 8A 2E 0E 14 0F 15 10 16 11 17 12
40: 11 13 12 14 13 15 14 16 15 17 16 0D 17 0E 11 0F
50: 12 10 13 11 14 12 15 13 16 14 17 15 31 1D 66 17
60: 13 0D 14 0E 15 0F 16 10 17 11 11 12 D2 81 66 14
70: 63 15 25 17 8A 11 31 0D D9 02 64 0F 12 0F 13 10
80: F5 0B 30 13 D7 82 64 15 89 7B 75 7A 88 0D 2F 0E
90: DE 03 69 10 10 10 11 11 0B 0C 2E 14 D8 71 66 16
A0: 4A 18 11 0D 15 13 14 9D 64 0E 68 11 0A 0B 31 13
B0: 44 15 12 15 62 16 24 18 6D 07 30 0E 35 5B 61 10
C0: 45 12 13 12 17 18 16 A2 8B 88 7C 88 7A 7B 12 0D
D0: 13 0E 14 0F 15 10 16 11 17 12 11 13 12 14 13 15
E0: 14 16 15 17 16 0D 17 0E 11 0F 12 10 13 11 14 12
F0: 85 74 89 87 8E 84 83 7A 12 17 13 0D 14 0E 15 0F
100: 16 10 17 11 11 12 12 13 13 14 14 15 15 16 16 17
110: 17 0D 11 0E 12 0F 13 10 64 11 15 12 15 12 16 13
120: 11 15 12 16 68 67 99 48 15 0E 16 0F 18 10 11 11
130: 13 12 13 13 14 14 15 15
C8-EF = userid
F0-117 = password
To see the password in plain text subtract the value shown in the
WEBCT.SVR file with no info saved from the value in the same
position in the file with the info saved. Stop when you reach
the point where the values are equal and the result is therefore
0. i.e.
C8-EF 8B 88 7C 88 7A 7B 12 0D 13 0E 14 0F 15 10 16 11 17 12 11 13 12 14 13 15 14 16 15 17 16 0D 17 0E 11 0F 12 10 13 11 14 12
C8-EF 16 15 17 16 11 17 12 0D 13 0E 14 0F 15 10 16 11 17 12 11 13 12 14 13 15 14 16 15 17 16 0D 17 0E 11 0F 12 10 13 11 14 12
75 73 65 72 69 64 0 <- stop
u s e r i d
F0-117 85 74 89 87 8E 84 83 7A 12 17 13 0D 14 0E 15 0F 16 10 17 11 11 12 12 13 13 14 14 15 15 16 16 17 17 0D 11 0E 12 0F 13 10
F0-117 15 13 16 14 17 15 11 16 12 17 13 0D 14 0E 15 0F 16 10 17 11 11 12 12 13 13 14 14 15 15 16 16 17 17 0D 11 0E 12 0F 13 10
70 61 73 73 77 6F 72 64 0 <- stop
p a s s w o r d
The WEBCT.SVR file always uses the same default values so once
you know them on one machine you can use them to determine the
userid and password stored in any WEBCT.SVR file.
This is an improvement from Version 1.0 where the password was
stored in the same file in the same position in plain text. The
password was also displayed on the screen in plain text when
entered in that version as well - the new version now displays
asterisks.
It's not only Respondus, but many other programs that needs to
store passwords for, let's say, FTP access that use a very weak
encryption system. Two examples recently discovered are
UltraEdit v8.x and CuteFtp v4.2. Both use a very weak encoding
system to store passwords for the FTP accounts. CuteFtp uses
quite a weak system, but when using a password for the site
manager, the sm.dat file is encrypted and it makes access to the
encrypted passwords a little harder..
SOLUTION
Uncheck "Remember my User Name and Password (save them on this
computer)" you should have never checked it in the first place
(even if it isn't a shared computer). The vendor has been
notified and is planning on addressing the issue in the future.