COMMAND
WinU
SYSTEMS AFFECTED
WinU 4/5
PROBLEM
Nu Omega Tau found following. As we all know is Windows 9X an OS
without any (good/local) security. WinU is one of the many
programs who in trying to change this. But some things can still
be improved, such as the password encryption...
Encryption - Version 4.X-5.0
============================
Up to version 5.0 the following password encryption algorythm is
used:
154 - asciicode_of_character = encrypted_asciicode_of_character
in other words, for the letter "A" (ASCII 65) the formula would be
154 - 65 = 89 or 154 - ASCII(A) = ASCII(Y)
So the word WinU (ASCII 87, 105, 110, 85) would encrypt to: C1,E
(ASCII 67, 49, 44, 69). The encrypted string is then reversed
(E,1C) to confuse a password cracker. The encrypted password is
then stored in the Windows registry:
HKEY_CLASSES_ROOT\WinU4\Config or HKEY_CLASSES_ROOT\WinU5\Config
The other program settings are also in the key, but the encrypted
password is somewhere near the beginning, if it's a word you'll
be able to recognise it if you just decrypt the entire string.
Encryption - Version 5.1
========================
Well... Bardon "fixed" it in version 5.1, instead of the
154 - asciicode_of_character = encrypted_asciicode_of_character
formula the following formula is used now:
asciicode_of_character + 101 = encrypted_asciicode_of_character
This only protects from passwords attacks where a canned program
(like the infamous WinU4 hacker utilities) is used. The more
advanced and/or determined cracker will search for the right
algorythm and with the help of a text of the 4-5.0 algorythm
he'll be able to crack it within minutes.
SOLUTION
Use a non-reverseable encryption algorythm like DES or something
or at least a little more complicated formula then + this or -
that.
This vurnerability makes WinU very insecure, lot's of
computernetworks using WinU can be easy taken over, especially if
they've got an easy to recognise password like "oliebollen" or
something.