SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Respondus Vendors:   Respondus, Inc.
Respondus Educational Testing Software Uses Weak Encoding to Protect User Passwords from Being Viewed by Local Users
SecurityTracker Alert ID:  1002263
SecurityTracker URL:  http://securitytracker.com/id/1002263
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Aug 27 2001
Impact:   Disclosure of authentication information
Exploit Included:  Yes  
Version(s): Version 1.1.2 (7-26-2001)
Description:   A vulnerability was reported in Respondus educational testing software that allows local users to determine user passwords that are contained in a weakly encoded file.

If Respondus is configured to 'remember' your userid and password, the software will store the authentication data in the WEBCT.SVR file using a weak encoding scheme. Each password character is reportedly encoded by adding a constant value. This allows a local user to readily determine another user's password.

Impact:   A local user can obtain a Respondus user's password.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.respondus.com/products/index.shtml (Links to External Site)
Cause:   Access control error
Underlying OS:  Windows (Me), Windows (NT), Windows (95), Windows (98), Windows (2000)

Message History:   None.


 Source Message Contents

Subject:  Respondus v1.1.2 stores passwords using weak encryption


Respondus Version 1.1.2 (7-26-2001) stores passwords using weak encryption.

Synopsis:

If you have Respondus remember your userid and password it will store them
in the WEBCT.SVR file in the "Respondus Projects" directory.  The information
is "encrypted" by taking the ASCII value of each password character and adding
it to a corresponding constant to get the value to store.  This is extremely 
simplistic and can easily be reversed as shown below:

WEBCT.SVR with No Userid / Password

  0: 08 00 00 00 01 00 00 00  88 72 74 71 87 3D 87 75
 10: 87 87 7B 84 45 82 83 7B  12 15 13 16 EC 10 2F 0D
 20: 92 6F 67 0F 14 15 13 9F  14 12 14 13 6D E1 57 16
 30: 6F E3 52 18 82 8A 2E 0E  14 0F 15 10 16 11 17 12
 40: 11 13 12 14 13 15 14 16  15 17 16 0D 17 0E 11 0F
 50: 12 10 13 11 14 12 15 13  16 14 17 15 31 1D 66 17
 60: 13 0D 14 0E 15 0F 16 10  17 11 11 12 D2 81 66 14
 70: 63 15 25 17 8A 11 31 0D  D9 02 64 0F 12 0F 13 10
 80: F5 0B 30 13 D7 82 64 15  89 7B 75 7A 88 0D 2F 0E
 90: DE 03 69 10 10 10 11 11  0B 0C 2E 14 D8 71 66 16
 A0: 4A 18 11 0D 15 13 14 9D  64 0E 68 11 0A 0B 31 13
 B0: 44 15 12 15 62 16 24 18  6D 07 30 0E 35 5B 61 10
 C0: 45 12 13 12 17 18 16 A2  16 15 17 16 11 17 12 0D
 D0: 13 0E 14 0F 15 10 16 11  17 12 11 13 12 14 13 15
 E0: 14 16 15 17 16 0D 17 0E  11 0F 12 10 13 11 14 12
 F0: 15 13 16 14 17 15 11 16  12 17 13 0D 14 0E 15 0F
100: 16 10 17 11 11 12 12 13  13 14 14 15 15 16 16 17
110: 17 0D 11 0E 12 0F 13 10  64 11 15 12 15 12 16 13
120: 11 15 12 16 68 67 99 48  15 0E 16 0F 18 10 11 11
130: 13 12 13 13 15 14 15 15

WEBCT.SVR with Userid / Password

  0: 08 00 00 00 01 00 00 00  88 72 74 71 87 3D 87 75
 10: 87 87 7B 84 45 82 83 7B  12 15 13 16 EC 10 2F 0D
 20: 92 6F 67 0F 14 15 13 9F  14 12 14 13 6D E1 57 16
 30: 6F E3 52 18 82 8A 2E 0E  14 0F 15 10 16 11 17 12
 40: 11 13 12 14 13 15 14 16  15 17 16 0D 17 0E 11 0F
 50: 12 10 13 11 14 12 15 13  16 14 17 15 31 1D 66 17
 60: 13 0D 14 0E 15 0F 16 10  17 11 11 12 D2 81 66 14
 70: 63 15 25 17 8A 11 31 0D  D9 02 64 0F 12 0F 13 10
 80: F5 0B 30 13 D7 82 64 15  89 7B 75 7A 88 0D 2F 0E
 90: DE 03 69 10 10 10 11 11  0B 0C 2E 14 D8 71 66 16
 A0: 4A 18 11 0D 15 13 14 9D  64 0E 68 11 0A 0B 31 13
 B0: 44 15 12 15 62 16 24 18  6D 07 30 0E 35 5B 61 10
 C0: 45 12 13 12 17 18 16 A2  8B 88 7C 88 7A 7B 12 0D
 D0: 13 0E 14 0F 15 10 16 11  17 12 11 13 12 14 13 15
 E0: 14 16 15 17 16 0D 17 0E  11 0F 12 10 13 11 14 12
 F0: 85 74 89 87 8E 84 83 7A  12 17 13 0D 14 0E 15 0F
100: 16 10 17 11 11 12 12 13  13 14 14 15 15 16 16 17
110: 17 0D 11 0E 12 0F 13 10  64 11 15 12 15 12 16 13
120: 11 15 12 16 68 67 99 48  15 0E 16 0F 18 10 11 11
130: 13 12 13 13 14 14 15 15

C8-EF = userid
F0-117 = password

To see the password in plain text subtract the value shown in the WEBCT.SVR
file with no info saved from the value in the same position in the file
with the info saved.  Stop when you reach the point where the values are
equal and the result is therefore 0.

i.e.

C8-EF 8B 88 7C 88 7A 7B 12 0D 13 0E 14 0F 15 10 16 11 17 12 11 13 12 14 13 15 14 16 15 17 16 0D 17 0E 11 0F 12 10 13 11 14 12
C8-EF 16 15 17 16 11 17 12 0D 13 0E 14 0F 15 10 16 11 17 12 11 13 12 14 13 15 14 16 15 17 16 0D 17 0E 11 0F 12 10 13 11 14 12
      75 73 65 72 69 64  0 <- stop
      u  s  e  r  i  d

F0-117 85 74 89 87 8E 84 83 7A 12 17 13 0D 14 0E 15 0F 16 10 17 11 11 12 12 13 13 14 14 15 15 16 16 17 17 0D 11 0E 12 0F 13 10
F0-117 15 13 16 14 17 15 11 16 12 17 13 0D 14 0E 15 0F 16 10 17 11 11 12 12 13 13 14 14 15 15 16 16 17 17 0D 11 0E 12 0F 13 10
       70 61 73 73 77 6F 72 64  0 <- stop
       p  a  s  s  w  o  r  d

The WEBCT.SVR file always uses the same default values so once you know them
on one machine you can use them to determine the userid and password stored in
any WEBCT.SVR file.

This is an improvement (I guess) from Version 1.0 where the password was stored
in the same file in the same position in plain text.  The password was also displayed
on the screen in plain text when entered in that version as well - the new version
now displays asterisks.

Work-around:

- uncheck "Remember my User Name and Password (save them on this computer)"
  you should have never checked it in the first place (even if it isn't a
  shared computer).

The vendor has been notified and is planning on addressing the issue in the future.

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC