-----Original Message-----
From: Bugtraq List [mailto:BUGTRAQ@NETSPACE.ORG] On Behalf Of Steven
Alexander
Sent: Thursday, March 04, 1999 10:31 PM
To: BUGTRAQ@NETSPACE.ORG
Subject: IMAIL password recovery is trivial.
The user passwords for Ipswitch's IMail server are stored in
encrypted(sorta) form in the Windows NT registry.
(HKEY_LOCAL_MACHINE\SOFTWARE\Ipswitch\IMail\Domains\yourdomain\users\) The
scheme used to protect the password seems to only be intended to deter the
curious user.
IMail adds the value of the first character of the username with the value
of the first character of the password. It then puts the sum of the two in
hex into the registry. It then repeats this with the second letters of
both
the username and the password. If the password is longer than the
username,
the username is repeated.
Example:
username: test
encrypted-password: BD D4 EA E2 ED D4 E8
the hex values of the username are: 74 65 73 74
hence:
BD D4 EA E2 ED D4 E8
-74 -65 -73 -74 -74 -65 -73
= 49 6F 77 6E 79 6F 75
= Iownyou
No decent product should be using methods like this. This is not simply a
misimplementation of a strong method, it is a perfect example of a vendor
trying to cut corners. If someone has access to the mail server and is
able
to access the registry(which users are able depends on your configuration)
all of the IMail passwords can be recovered. This could also be used to
build a dictionary for tools such as L0pht Crack and/or to compromise
Administrator accounts.
Steven Alexander
steve@cell2000.net
_______________________________________________________
Get your free, private email at http://mail.excite.com/
For more information about this list, including removal,
see this url: http://www.iea-software.com/maillist.html