Bugtraq mailing list archives
Re: [w00giving '99 #11] IMail's password encryption scheme
From: steve () CELL2000 NET (Steven Alexander)
Date: Wed, 22 Dec 1999 11:48:07 -0600
Actually, ipswitch should do two things. They should protect the registry keys so that all users cannot read the encrypted passwords. They should also use stronger crypto so that in the case that someone does get access to the registry keys, they cannot recover the passwords. This is important. Suppose that someone can gain temporary access to the server, they should not be able to recover the passwords so that they can use them in the future. A user may be able to get to the administrator's desk while he/she is away and get to those keys, but if they can get the administrator's password, they can drop in anytime they want and remotely administer IMail...or the machine if the administrator's password is the same for the domain/workstation as it is for IMail. If they use security at all levels it makes the job of an attacker much more difficult. I'm really displeased that ipswitch hasn't fixed this problem already. It is simple to protect the registry keys. Also, when their password scheme was revealed to be very simple in (April?) they should have moved to something much more secure, not just another different but simple scheme. If they're reading, perhaps they should consider MD5 or another hash algorithm. -steven ----- Original Message ----- From: Mikael Olsson <mikael.olsson () enternet se> To: Steven Alexander <steve () CELL2000 NET> Cc: <BUGTRAQ () SECURITYFOCUS COM> Sent: Wednesday, December 22, 1999 1:27 PM Subject: Re: [w00giving '99 #11] IMail's password encryption scheme
It would seem that the best solution is to NOT try fixing the red herring (crypto with locally stored key) problem. The better solution would be to set the access rights for the registry keys in question to only allow the user running the IMail daemons, and the users that are supposed to be able to locally administrate IMail. Am I right or am I right? (Btw, you can do this yourself; you don't have to wait for ipswitch to release a fix) /Mike
Current thread:
- [w00giving '99 #11] IMail's password encryption scheme Matt Conover (Dec 20)
- Re: [w00giving '99 #11] IMail's password encryption scheme Steven Alexander (Dec 21)
- Warning to Bugtraq posters. Steven Alexander (Dec 22)
- Re: Warning to Bugtraq posters. Richard M. Smith (Dec 23)
- Re: [w00giving '99 #11] IMail's password encryption scheme Mikael Olsson (Dec 22)
- Re: [w00giving '99 #11] IMail's password encryption scheme Steven Alexander (Dec 22)
- Re: [w00giving '99 #11] IMail's password encryption scheme Benjamin Congdon (Dec 22)
- Re: [w00giving '99 #11] IMail's password encryption scheme Steven Alexander (Dec 23)
- FYI, SCO Security patches available. Aaron Sigel (Dec 23)
- Local / Remote GET Buffer Overflow Vulnerability in ZBServer 1.5 Pro Edition for Win98/NT Ussr Labs (Dec 22)
- Warning to Bugtraq posters. Steven Alexander (Dec 22)
- Lotus Notes HTTP cgi-bin vulnerability: possible workaround Bram Kerkhof (Dec 22)
- Re: [w00giving '99 #11] IMail's password encryption scheme Steven Alexander (Dec 21)