Decrypting passwords for BrowseGate

[Steven Alexander <steve () cell2000 net>]

Product: BrowseGate by NetCPlus
Version: 2.80.2 (others?)
OS: Windows NT/2000/9x

Description:

BrowseGate is a proxy firewall from NetCPlus.  BrowseGate is sometimes
installed on servers along with other network applications including
SmartServer3 with which it is made to integrate.  BrowseGate installs by
default in C:\Program Files\BrowseGate\  and stores it's configuration
information in the file brwgate.ini .  The file is accessible, by default,
to all authenticated users (authenticated to Windows).  The "encrypted"
password is stored under the 'scrnsze' setting, for instance

scrnsze=Ic6li9m\

The password encryption is very weak.  Though it has some other strange
properties, the scheme works by adding a position-specific value to each
character of the password.  There are seven characters that encrypt
differently from the rest of the character set, I can only guess that it
might be to throw off any analysis but am not particularly sure.  This
scheme appears related to the one used in SmartServer 3 but is somewhat
different.  Look at the code for more details.

The vendor was contacted in regards to a previous security issue with
another product.  Unfortunately, the vendor acted in an extremely
unprofessional manner.  In addition to denying the problem, they responded
with insults and implied threats against me.  At this point, it is up to the
customers of this  vendor to ask for what they deserve: a reasonable measure
of security.  In the meantime, it would be useful to restrict access to the
folder in which BrowseGate is installed.

-Steven Alexander
steve () cell2000 net

Attachment: browse.c
Description: