NT passwords not secure on WinCE devices

[mea culpa <jericho () DIMENSIONAL COM>]

From: "Noonan, Michael D" <michael.d.noonan () intel com>

http://www.cegadgets.com/artsusageP.htm
ActiveSync 2.x Allows Unauthorized Access to Your NT Password
Jeff Zamora

Note: I believe it is in the best interest of the Windows CE community to
distribute this information. If I can figure this out, many others can as
well. Also, I tried this on a Casio E-100 and HP Jornada 420. If you find
different results, please let me know.

Windows CE offers the ability to connect to Windows 95/98 and Windows NT
desktop systems, allowing the user to move information between the device
and the desktop with ease. To facilitate this connection process, Windows
CE performs much of this connection process automatically.

The first time a you connect to a desktop running Windows NT, the Windows
CE device presents a User Logon dialog (Figure 1). This dialog prompts for
the user name, password, domain, and offers to save the password
information.  This information is used for authentication purposes under
NT. By saving password information, Windows CE can connect to the desktop
without any intervention. This is a nice feature, especially for a user
like me. I develop software on the Windows CE platform and reset/reconnect
my device dozens of times in a day. Having to type my password during
every connect would be quite burdensome. Instead, I chose 'Save password'.
Windows CE automatically connects to the desktop and automatically
authenticates me.

Windows CE stores this password in the registry. You can find the password
entry under HKEY_CURRENT_USER\Comm\RasBook\`Serial @ 115k. The last part
of the key name will vary based on your connection speed. Taking a look
under this key, you will find a Password entry. Password is a binary data
type, and contains a set of data that seems strangely correlated to the
length of your NT password. I noticed this correlation and decided to look
further.

The first thing I did was to change my NT password to AAAAA. I then
connected my Windows CE device to the desktop, and the authentication
dialog appeared (Whenever you change your NT password, Windows CE will no
longer be able to authenticate you and you'll need to re-enter your
password). I entered the new password and selected the 'Save password'
checkbox. I then recorded the new values for the password, in this case 32
00 34 00 32 00 20 00 26 00 00 00 (Note: all numbers are hex). I repeated
the process using BBBBB through EEEEE. I also tried ABCDE.

After recording the values for each I noticed that letters mapped to a
different hex values depending on their location in the string, but that
the value was always the same. For example, A in the first position always
mapped to 32 00.  E in the fifth position always mapped to 22 00. I also
suspected that XOR was being used, since Microsoft has a tendency to use
XOR based encryption when they are being lazy.

After playing around a bit with binary numbers, I discovered that the XOR
value was different for each character position. I assumed they must be
using some formula to generate an XOR values based on character position.
I computed the XOR values for the first five positions, and got the
following:  73 00 75 00 73 00 61 00 67 00.

Next, I decided I needed a longer string, to better be able to deduce the
formula Microsoft used. I entered AAAAAAAAAA (10 A's). The resulting
password number set was 32 00 34 00 32 00 20 00 26 00 24 00 11 00 32 00 34
00 32 00. I saw that the number set repeated at character 8. I computed
the remainder of the XOR values, and got the entire list: 73 00 75 00 73
00 61 00 67 00 65 00 50 00.

Password Character
 XOR Value
 Registry Value

61 73 (s) 32
61 75 (u) 34
61 73 (s) 32
61 61 (a) 20
61 67 (g) 26
61 65 (e) 24
61 50 (P) 11
Repeats:

61 73 (s) 32
61 75 (u) 34
61 73 (s) 32

So, now I had the XOR value list, but could make no sense of it. Was the
number set tied to my machine, and worthless on someone else's? I then
noticed that the XOR value set was in a tight number range, which actually
was exactly where the ASCII alphabet resided! Looking up the characters
for each number I quickly found the XOR code. susageP. Pegasus spelled
backwards. The Microsoft engineer responsible for protecting my NT
password on the device chose to use an XOR based encryption scheme that
relied on Pegasus for its key.

So, the moral of the story is, don't rely on CE to keep your password
private, or at least understand that CE poses a slight to moderate
security risk. Anyone that picks up your CE device can gain access to your
NT password.

ISN is sponsored by Security-Focus.COM