Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormEfrain TorresPACKETSTORM:12257
HistoryAug 17, 1999 - 12:00 a.m.

padlock-it.txt

1999-08-1700:00:00
Efrain Torres
packetstormsecurity.com
23
JSON
`Date: Fri, 19 Feb 1999 13:51:39 -0500 (EST)  
From: ET LoWNOISE <[email protected]>  
To: [email protected]  
Cc: [email protected]  
Subject: PADLOCK-IT and TwoFish  
  
Hi,   
2 months ago, i deliver this advisory to bugtraq... but now i have found  
that this program is more popular than ever because have been showed on  
WIRED magazine like one of the best prodcuts ever to manage passwords. So  
i think people need to know the truth.  
  
  
[LOWNOISE] Advisory:   
[email protected]  
by ET.  
PADLOCK-IT 1.01  
===============  
  
DISCLAIMER: Learn, there are dark things behind a nice GUI.  
  
Well, maybe this isnt a topic for bugtraq but many people is  
using this kind of programs to protect all kind of passwords.  
(Dial-up passwords, UNIX accounts, etc etc etc..............)  
This is just a quick note about this product. Im going deeper  
later.  
  
  
PRODUCT: PADLOCK-IT Version 1.01 1998  
1998 WinWare Inc.  
1998 eEye Digital Security Team <---- Hmmmm!!  
http://www.eEye.com  
  
PROBLEM: Poor Implementation of TWOFISH  
(Counterpane Systems) encryption  
  
  
DESCRIPTION: PadLock-it is a utility program for   
Windows 95, 98 and NT. It remembers  
all your passwords in a single, easy  
to use interface. It protects your  
passwords using encryption and fixes  
many loop holes in windows applications  
password management.  
  
Well, im not a guru on cryptoanalisys but theres something  
wrong about PadLock-it. I agree that it has a really cool  
GUI and its easy to use. But its opening new problems on   
password managment.  
  
First, remeber that now all the passwords will be encrypted  
on 1 file called Padlock-it.dat so any person can grab this  
file and analize it using just a text editor.  
  
Padlock-it.dat (EXAMPLE)  
=========================  
  
[General]  
Version=1.01  
MP=588b1c441a   
  
[Options]  
TrayIcon=1  
Confirm=0  
Startup=1  
Quick Tips=1  
  
[Accounts]  
prueba=4a0e54f8^Ä^Å4a0e54f8625f  
prueba1=5d2bd3e4e7^Ä^Å4a169a9f8901  
prueba2=4a169a9f^Ä^Å3db126d6f1fc83a4  
enter=588b1c441a^Ä^Å588b1c441a  
noise=5554c02c0b^Ä^Å5554c02c0b  
  
--------------------------------------------------  
First problem:  
THEY ARE NOT USING A RANDOM SEED BETWEEN USERID AND HIS PASSWORD  
  
example:   
prueba = 4a169a9f__ 4a169a9f8900  
root root98  
  
If there are some weak passwords:  
U can guess what is the weak password for a especified USER  
Remember that is easy to have some USER IDs just because  
other programs will give u that kind of info.  
  
  
Second problem:  
THEY ARE NOT USING A RANDOM SEED BETWEEN ACCOUNTS  
  
example:  
prueba1= 5d2bd3e4e7__ 4a169a9f8901   
admin root98  
  
So here is more help to have an idea to find the passwords  
  
  
Third problem:  
U CAN KNOW THE FIRST LETTER (and sometimes the SECOND too)  
OF ANY USER ID AND THE PASSWORD (THIS INCLUDE THE MASTER  
PASSWORD MP= "Take a look at the Padlock-it.dat (EXAMPLE)")  
  
Weell there is no random seed (IMPORTANT PART ON ANY CRYPTO-THING)  
  
So here is it a very little table:  
  
  
1st letter encrypted   
a 5d   
b 5f   
c 5e   
d 59  
e 58  
f 5a  
g 5b  
h 51  
i 50  
j 52  
k 53  
l 57  
m 56  
n 55  
o 54  
p 48   
q 49  
r 4a  
s 4b  
t 4d   
u 4c  
v 4f  
w 4e  
x 46  
y 47  
z 44  
  
Another problem:  
U KNOW HOW MANY CHARACTERS ARE IN THE USER ID AND THE   
PASSWORD AND THE MASTER PASSWORD.  
  
Count the characters on the encrypted password,   
divide it by 2.  
  
example:  
prueba=4a0e54f8^Ä^Å4a0e54f8625f  
  
r*** r*****  
  
prueba1=5d2bd3e4e7^Ä^Å4a169a9f8901   
  
a**** r*****   
Another problem:  
THEY SAY (On HELP):  
I can only enter 5 characters for my master  
password, why?  
  
The evaluation version of PadLock-it^Ù  
is limited to 40 bit encryption, only US  
full versions of PadLock-it^Ù support 128   
bit encryption, which translates into 16  
character passwords.  
  
SO U KNOW THE FIRST LETTER OF THE MP SO A BRUTE FORCE  
ATTACK IS EASY TO DO TO FIND THE NEXT 4 CHARACTERS.  
  
Another problem:  
THEY SAY (On HELP):  
I forgot my master password, can I get it   
back?  
  
No, PadLock-it uses a state of the art security  
that is unbreakable, no one can get your master  
password. Not even the developers of PadLock-it.  
  
WHEN U ENTER TO EDIT AN ACCOUNT PADLOCK DECRYPT THE   
USERID AND IT SHOW YOU ON CLEAR TEXT.  
  
THE MP USES THE SAME TWOFISH ENCRYPTION WITHOUT SEED  
LIKE THE ACCOUNTS:  
  
[General]  
Version=1.01  
MP=588b1c441a "guess the password"  
  
[Accounts]  
enter=588b1c441a^Ä^Å588b1c441a  
"enter" "enter"  
  
THE MP JUST WORK TO AUTENTICATE YOU, IT HAS NO JOB  
ON LATER ENCRYPTION.  
  
CONCLUSION:  
IF THEY DECRYPT THE USER ID, THEY CAN BREAK  
THE MP.!!!!!  
  
NOTE:   
THEY SAY:  
  
What Encryption algorythm does PadLock-it^Ù use?  
  
PadLock-it^Ù uses the latest release of Twofish  
encryption from Counterpane Systems.  
BRUCE SCHNEIER is the president of Counterpane  
Systems, the author of Applied Cryptography   
(John Wiley & Sons, 1994 & 1996), and the   
developer of Blowfish and Twofish.  
  
  
WELL THEY ARE JUST USING THE POPULARITY OF A  
GREAT DUDE... Twofish its c00l... the   
implementation on this proggy just sucks.  
  
================================================================  
Efrain `ET` Torres  
LoWNOISE Colombia.   
[email protected]   
1999  
  
[email protected]  
================================================================  
  
`
JSON