[ SOURCE: http://www.secureroot.com/security/advisories/9665926315.html ] **************************************** * WINU 4/5 weak password vulnerability * **************************************** WinU 4/5 weak password encryption leads to possible WinU administrator compromise Introduction ============ As we all know is Windows 9X an OS without any (good/local) security. WinU (http://www.bardon.com) is one of the many programs who in trying to change this and in my opinion did the best job till now. But some things can still be improved, such as the password encryption... Encryption - Version 4.X-5.0 ============================ Up to version 5.0 the following password encryption algorythm is used: 154 - asciicode_of_character = encrypted_asciicode_of_character in other words, for the letter "A" (ASCII 65) the formula would be 154 - 65 = 89 or 154 - ASCII(A) = ASCII(Y) So the word WinU (ASCII 87, 105, 110, 85) would encrypt to: C1,E (ASCII 67, 49, 44, 69) The encrypted string is then reversed (E,1C) to confuse a password cracker. The encrypted password is then stored in the Windows registry: HKEY_CLASSES_ROOT\WinU4\Config or HKEY_CLASSES_ROOT\WinU5\Config The other program settings are also in the key, but the encrypted password is somewhere near the beginning, if it's a word you'll be able to recognise it if you just decrypt the entire string. Encryption - Version 5.1 ======================== Well... Bardon "fixed" it in version 5.1, instead of the 154 - asciicode_of_character = encrypted_asciicode_of_character formula the following formula is used now: asciicode_of_character + 101 = encrypted_asciicode_of_character This only protects from passwords attacks where a canned program (like the infamous WinU4 hacker utilities) is used. The more advanced and/or determined cracker will search for the right algorythm and with the help of a text of the 4-5.0 algorythm he'll be able to crack it within minutes. Other versions ============== Versions earlier then 4.0 probably use the 4.X algorythm or a even weaker scheme. I wasn't able to get version 5.02, it probably uses the 5.1 algorythm because it was released after I released the algorythm in public. Possible fix ============ Use a non-reverseable encryption algorythm like DES or something or at least a little more complicated formula then + this or - that. Conclusion ========== This vurnerability makes WinU very insecure, lot's of computernetworks using WinU can be easy taken over, especially if they've got an easy to recognise password like "oliebollen" or something. Checkout www.bardon.com for a list of WinU users... wow!...shit :)