Tried, Tested and Proven

Security Advisory 05 – 002 – Spectrum Cash Receipting System Weak Password Protection Vulnerability

Vulnerable System:

Spectrum Cash Receipting System

Vulnerability discovery and development:

Portcullis Security Testing Services

Affected Systems:

All known versions of Spectrum Cash Receipting System, vulnerability discovered for version 6.406.08.


The Spectrum Cash Receipting System is a client/server software solution that allows offline work, and thus offline authentication. The application has several layers of authority with regards to authorising payments.

The local authentication requires the password file for the application to reside locally.

Portcullis discovered that Spectrum’s mechanism for protecting the passwords within the password file is a static substitution algorithm. Additional properties of the system reduce the available key-space, expose plaintext in the ciphertext, enforce a maximum password length and reveal the length of the password in the password file.

Having the password file locally allows an attacker to enumerate valid users on the system and potentially gain unauthorised access to the system through brute force attempts on those valid user’s passwords. Furthermore valid users of the system could attempt privilege escalation as they have full details of all valid user accounts.

When creating a password in the application the algorithm converts all letters entered to lowercase and limits the length to a maximum of 6 characters. In the substitution stage it statically substitutes alphanumeric characters with a character from the range a-z and the special characters “@+&()?\/” including less than and greater than. Any character in the password that is not alphanumeric is not substituted and becomes part of the ciphertext.

If the password is shorter than 6 characters the algorithm pads the ciphertext with white-space accordingly.


The impact of this vulnerability is that an attacker with local access to the password file can retrieve the plaintext passwords of all the system users.


Portcullis have developed Proof of Concept code for this issue, however, due to the sensitivity of the application will not release this publicly.


Copyright © Portcullis Computer Security Limited 2005, All rights reserved worldwide.
Permission is hereby granted for the electronic redistribution of this information.
It is not to be edited or altered in any way without the express written consent of Portcullis Computer Security Limited.


The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user’s risk. In no event shall the author/distributor (Portcullis Computer Security Limited) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.