Bugtraq mailing list archives
Decrypting passwords for BrowseGate
From: Steven Alexander <steve () cell2000 net>
Date: Sat, 18 Nov 2000 17:26:18 -0800
Product: BrowseGate by NetCPlus Version: 2.80.2 (others?) OS: Windows NT/2000/9x Description: BrowseGate is a proxy firewall from NetCPlus. BrowseGate is sometimes installed on servers along with other network applications including SmartServer3 with which it is made to integrate. BrowseGate installs by default in C:\Program Files\BrowseGate\ and stores it's configuration information in the file brwgate.ini . The file is accessible, by default, to all authenticated users (authenticated to Windows). The "encrypted" password is stored under the 'scrnsze' setting, for instance scrnsze=Ic6li9m\ The password encryption is very weak. Though it has some other strange properties, the scheme works by adding a position-specific value to each character of the password. There are seven characters that encrypt differently from the rest of the character set, I can only guess that it might be to throw off any analysis but am not particularly sure. This scheme appears related to the one used in SmartServer 3 but is somewhat different. Look at the code for more details. The vendor was contacted in regards to a previous security issue with another product. Unfortunately, the vendor acted in an extremely unprofessional manner. In addition to denying the problem, they responded with insults and implied threats against me. At this point, it is up to the customers of this vendor to ask for what they deserve: a reasonable measure of security. In the meantime, it would be useful to restrict access to the folder in which BrowseGate is installed. -Steven Alexander steve () cell2000 net
Attachment:
browse.c
Description:
Current thread:
- Decrypting passwords for BrowseGate Steven Alexander (Nov 20)