Weak Password Encryption Scheme in Integrated Dialer

["Arjun Pednekar" <arjunp () nii co in>]

[Note to Moderator:
This vulnerability would probably affect only the 500,000 or so Indian
subscribers of the Indian ISP - VSNL. But there being no India-specific
forum to post bugs we are posting it here.]


========================================
Name: Integrated Dialer Software for VSNL
Version: 1.2.000
Systems: All Windows Platforms
Severity: Medium
Type: Weak Password Encryption Scheme
Vendor: VSNL http://internet.vsnl.com
Author: Arjun Pednekar arjunp () nii co in
Advisory URL: http://www.nii.co.in/vuln/idvsnl.html
Network Intelligence India Pvt. Ltd. http://www.nii.co.in
========================================


Description:
========
VSNL is one of India's largest Internet Service Providers. It provides its
subscribers with an Integrated Dialer, which is a sort of replacement to
Windows Dial-up Networking. This Dialer is available for free download from
its website http://internet.vsnl.net.in/dialer/vsnlsetup.exe. The
(dis)advantage of the Integrated Dialer is that it shows streaming ads while
the user is surfing.

The Integrated Dialer comes with the option where-in the user can check the
option "Save Password", so that he need not enter the password again.
However, the algorithm used to encrypt and store the password is very weak
and can be easily decrypted as shown below.


Impact:
=====
The weakly encrypted password is one which is used by users to connect to
VSNL for Internet access, as well as to authenticate to their email account.
Any compromise of this password would mean their Internet account being
stolen as well as their emails being compromised. However, to decrypt the
password, local registry access would be required.


Details:
======
The encryption algorithm uses a simple one-to-one mapping technique which
can easily be deciphered. The encryted password is stored in the follow
registry key, which is constant on all windows platforms:

Hive: HKEY_LOCAL_MACHINE\SOFTWARE
Key : \VSNL.COM\Dialer\Config
Name: Password
Type: REG_SZ

The array used to map the password-to-encrypted data is given below:

abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ`~1!2@3#4$5%6^7&8*9(0)-_
=+|[{]}};:',<.>/?

During encryption, the above characters are mapped one-to-one with the below
array.

~!@#$%^&*()_+1234567890-=[{]}};:`,<.>/?aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRs
StTuUvVwWxXyYzZZA

For decryption, a simple reverse mapping is carried out.


PoC Decryption Utility:
================
We have coded a simple utility in Assembly code to demonstrate the
encyrption/decrytion routine. You can download it along with the source code
from http://www.nii.co.in/vuln/idvsnl.html


Vendor Response and Timeline:
======================
21 Oct 2002: Email sent to vendor about the vulnerability
28 Oct 2002: Reminder email sent as per our Vulnerability Disclosure Policy
(http://www.nii.co.in/vdp.html)
1st Nov 2002: Advisory posted
We decided to go ahead and post this advisory, since no vendor response was
forthcoming even after repeated emails.


Workarounds:
==========
Do not use the Save As option in the Dialer. If you were using that option
earlier, delete the registry key mentioned above. Better still use good old
DUN instead.


Sincerely,

Arjun Pednekar,
Systems Security Analyst
Network Intelligence India Pvt. Ltd.,
Email: arjunp () nii co in
Web: http://www.nii.co.in
Phone: 91-22-2001530 / 2006019