[NTISP] IMAIL security hole -- poor password encryption

Sun, 14 Mar 1999 21:04:17 PST

Heads up. IMAIL is vulnerable to "insider" password cracking:

-----Original Message-----
From: Bugtraq List [mailto:BUGTRAQ@NETSPACE.ORG] On Behalf Of Steven
Sent: Thursday, March 04, 1999 10:31 PM
Subject: IMAIL password recovery is trivial.

The user passwords for Ipswitch's IMail server are stored in
encrypted(sorta) form in the Windows NT registry.
(HKEY_LOCAL_MACHINE\SOFTWARE\Ipswitch\IMail\Domains\yourdomain\users\) The
scheme used to protect the password seems to only be intended to deter the
curious user.

IMail adds the value of the first character of the username with the value
of the first character of the password. It then puts the sum of the two in
hex into the registry. It then repeats this with the second letters of
the username and the password. If the password is longer than the
the username is repeated.


username: test
encrypted-password: BD D4 EA E2 ED D4 E8
the hex values of the username are: 74 65 73 74


BD D4 EA E2 ED D4 E8
-74 -65 -73 -74 -74 -65 -73

= 49 6F 77 6E 79 6F 75
= Iownyou

No decent product should be using methods like this. This is not simply a
misimplementation of a strong method, it is a perfect example of a vendor
trying to cut corners. If someone has access to the mail server and is
to access the registry(which users are able depends on your configuration)
all of the IMail passwords can be recovered. This could also be used to
build a dictionary for tools such as L0pht Crack and/or to compromise
Administrator accounts.

Steven Alexander

Get your free, private email at http://mail.excite.com/

For more information about this list, including removal,
see this url: http://www.iea-software.com/maillist.html