Bugtraq mailing list archives
Decrypting passwords for SmartServer 3
From: Steven Alexander <steve () cell2000 net>
Date: Sat, 18 Nov 2000 17:26:15 -0800
Product: Smart Server 3 by NetCPlus Version: 3.75 (others?) OS: Windows NT/2000/9x Description: SmartServer3 (SS3) is a small business email server from NetCPlus. It installs by default in C:\Program Files\smartserver3\ . In this folder it stores a configuration file called 'dialsrv.ini' . This file is accessible to all authenticated users(authenticated to Windows) and contains entries for every user which include their weakly encrypted password. An entry for a user 'Carl' might look like this: [USER1] realname=Carl Jones id=Carl dir=CARL pw=~:kC@nD3~: extml=0 alertport= alert= UserActive=1 MailLimit=0 MailMAxWarn=0 MailMaxSize=20 The password encryption scheme is weak. The encryption of the password depends only on the password entered and on the first letter of the POP userID which is given in the entry "dir=CARL". The attached source is the final copy of the code that I used while dismantling the password scheme that is used. It can decrypt a password of up to 8 characters in length (for shorter passwords, ignore the extra characters). If you need to decrypt a password longer than 8 characters, run the program twice and enter the characters after 8 as a new series (9 would be 1, 10 would be 2, etc). I didn't see the need to make this program useful en masse. Don't forget to enter the first letter of the username into the program as well. Though it has some other strange properties, the scheme works by adding a position-specific value to each character of the password. Any character that is the same as the first character of the username has a default encryption. For instance, the user BOB with the password 'Book' will have the same encrypted character for the first letter of his password as the user CARL with the password 'Catfish'. Look at the code for more details. A legitimate administrator can see any users password after logging into the SS3 console by editing a user and unchecking the 'hide password' box. The vendor was contacted about this problem a couple of weeks ago, they responded with insults and implied threats. They maintain that good encryption is not necessary for the environments in which their product is used. Further, they insist that they pitch their product for use in businesses and that the email contained in a business user's mail box is only of interest to that person--Yes, they really did say that. -Steven Alexander steve () cell2000 net
Attachment:
ss3.c
Description:
Current thread:
- Decrypting passwords for SmartServer 3 Steven Alexander (Nov 20)