Information Security News mailing list archives
NT passwords not secure on WinCE devices
From: mea culpa <jericho () DIMENSIONAL COM>
Date: Mon, 6 Dec 1999 12:03:34 -0700
From: "Noonan, Michael D" <michael.d.noonan () intel com> http://www.cegadgets.com/artsusageP.htm ActiveSync 2.x Allows Unauthorized Access to Your NT Password Jeff Zamora Note: I believe it is in the best interest of the Windows CE community to distribute this information. If I can figure this out, many others can as well. Also, I tried this on a Casio E-100 and HP Jornada 420. If you find different results, please let me know. Windows CE offers the ability to connect to Windows 95/98 and Windows NT desktop systems, allowing the user to move information between the device and the desktop with ease. To facilitate this connection process, Windows CE performs much of this connection process automatically. The first time a you connect to a desktop running Windows NT, the Windows CE device presents a User Logon dialog (Figure 1). This dialog prompts for the user name, password, domain, and offers to save the password information. This information is used for authentication purposes under NT. By saving password information, Windows CE can connect to the desktop without any intervention. This is a nice feature, especially for a user like me. I develop software on the Windows CE platform and reset/reconnect my device dozens of times in a day. Having to type my password during every connect would be quite burdensome. Instead, I chose 'Save password'. Windows CE automatically connects to the desktop and automatically authenticates me. Windows CE stores this password in the registry. You can find the password entry under HKEY_CURRENT_USER\Comm\RasBook\`Serial @ 115k. The last part of the key name will vary based on your connection speed. Taking a look under this key, you will find a Password entry. Password is a binary data type, and contains a set of data that seems strangely correlated to the length of your NT password. I noticed this correlation and decided to look further. The first thing I did was to change my NT password to AAAAA. I then connected my Windows CE device to the desktop, and the authentication dialog appeared (Whenever you change your NT password, Windows CE will no longer be able to authenticate you and you'll need to re-enter your password). I entered the new password and selected the 'Save password' checkbox. I then recorded the new values for the password, in this case 32 00 34 00 32 00 20 00 26 00 00 00 (Note: all numbers are hex). I repeated the process using BBBBB through EEEEE. I also tried ABCDE. After recording the values for each I noticed that letters mapped to a different hex values depending on their location in the string, but that the value was always the same. For example, A in the first position always mapped to 32 00. E in the fifth position always mapped to 22 00. I also suspected that XOR was being used, since Microsoft has a tendency to use XOR based encryption when they are being lazy. After playing around a bit with binary numbers, I discovered that the XOR value was different for each character position. I assumed they must be using some formula to generate an XOR values based on character position. I computed the XOR values for the first five positions, and got the following: 73 00 75 00 73 00 61 00 67 00. Next, I decided I needed a longer string, to better be able to deduce the formula Microsoft used. I entered AAAAAAAAAA (10 A's). The resulting password number set was 32 00 34 00 32 00 20 00 26 00 24 00 11 00 32 00 34 00 32 00. I saw that the number set repeated at character 8. I computed the remainder of the XOR values, and got the entire list: 73 00 75 00 73 00 61 00 67 00 65 00 50 00. Password Character XOR Value Registry Value 61 73 (s) 32 61 75 (u) 34 61 73 (s) 32 61 61 (a) 20 61 67 (g) 26 61 65 (e) 24 61 50 (P) 11 Repeats: 61 73 (s) 32 61 75 (u) 34 61 73 (s) 32 So, now I had the XOR value list, but could make no sense of it. Was the number set tied to my machine, and worthless on someone else's? I then noticed that the XOR value set was in a tight number range, which actually was exactly where the ASCII alphabet resided! Looking up the characters for each number I quickly found the XOR code. susageP. Pegasus spelled backwards. The Microsoft engineer responsible for protecting my NT password on the device chose to use an XOR based encryption scheme that relied on Pegasus for its key. So, the moral of the story is, don't rely on CE to keep your password private, or at least understand that CE poses a slight to moderate security risk. Anyone that picks up your CE device can gain access to your NT password. ISN is sponsored by Security-Focus.COM
Current thread:
- NT passwords not secure on WinCE devices mea culpa (Dec 07)