[Note to Moderator: This vulnerability would probably affect only the 500,000 or so Indian subscribers of the Indian ISP - VSNL. But there being no India-specific forum to post bugs we are posting it here.] ======================================== Name: Integrated Dialer Software for VSNL Version: 1.2.000 Systems: All Windows Platforms Severity: Medium Type: Weak Password Encryption Scheme Vendor: VSNL http://internet.vsnl.com Author: Arjun Pednekar arjunp@nii.co.in Advisory URL: http://www.nii.co.in/vuln/idvsnl.html Network Intelligence India Pvt. Ltd. http://www.nii.co.in ======================================== Description: ======== VSNL is one of India's largest Internet Service Providers. It provides its subscribers with an Integrated Dialer, which is a sort of replacement to Windows Dial-up Networking. This Dialer is available for free download from its website http://internet.vsnl.net.in/dialer/vsnlsetup.exe. The (dis)advantage of the Integrated Dialer is that it shows streaming ads while the user is surfing. The Integrated Dialer comes with the option where-in the user can check the option "Save Password", so that he need not enter the password again. However, the algorithm used to encrypt and store the password is very weak and can be easily decrypted as shown below. Impact: ===== The weakly encrypted password is one which is used by users to connect to VSNL for Internet access, as well as to authenticate to their email account. Any compromise of this password would mean their Internet account being stolen as well as their emails being compromised. However, to decrypt the password, local registry access would be required. Details: ====== The encryption algorithm uses a simple one-to-one mapping technique which can easily be deciphered. The encryted password is stored in the follow registry key, which is constant on all windows platforms: Hive: HKEY_LOCAL_MACHINE\SOFTWARE Key : \VSNL.COM\Dialer\Config Name: Password Type: REG_SZ The array used to map the password-to-encrypted data is given below: abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ`~1!2@3#4$5%6^7&8*9(0)-_ =+|[{]}};:',<.>/? During encryption, the above characters are mapped one-to-one with the below array. ~!@#$%^&*()_+1234567890-=[{]}};:`,<.>/?aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRs StTuUvVwWxXyYzZZA For decryption, a simple reverse mapping is carried out. PoC Decryption Utility: ================ We have coded a simple utility in Assembly code to demonstrate the encyrption/decrytion routine. You can download it along with the source code from http://www.nii.co.in/vuln/idvsnl.html Vendor Response and Timeline: ====================== 21 Oct 2002: Email sent to vendor about the vulnerability 28 Oct 2002: Reminder email sent as per our Vulnerability Disclosure Policy (http://www.nii.co.in/vdp.html) 1st Nov 2002: Advisory posted We decided to go ahead and post this advisory, since no vendor response was forthcoming even after repeated emails. Workarounds: ========== Do not use the Save As option in the Dialer. If you were using that option earlier, delete the registry key mentioned above. Better still use good old DUN instead. Sincerely, Arjun Pednekar, Systems Security Analyst Network Intelligence India Pvt. Ltd., Email: arjunp@nii.co.in Web: http://www.nii.co.in Phone: 91-22-2001530 / 2006019
