Bugtraq mailing list archives

Re: [w00giving '99 #11] IMail's password encryption scheme

From: steve () CELL2000 NET (Steven Alexander)
Date: Wed, 22 Dec 1999 11:48:07 -0600


Actually, ipswitch should do two things.  They should protect the registry
keys so that all users cannot read the encrypted passwords.  They should
also use stronger crypto so that in the case that someone does get access to
the registry keys, they cannot recover the passwords.  This is important.
Suppose that someone can gain temporary access to the server, they should
not be able to recover the passwords so that they can use them in the
future.

A user may be able to get to the administrator's desk while he/she is away
and get to those keys, but if they can get the administrator's password,
they can drop in anytime they want and remotely administer IMail...or the
machine if the administrator's password is the same for the
domain/workstation as it is for IMail.  If they use security at all levels
it makes the job of an attacker much more difficult.

I'm really displeased that ipswitch hasn't fixed this problem already.  It
is simple to protect the registry keys.  Also, when their password scheme
was revealed to be very simple in (April?) they should have moved to
something much more secure, not just another different but simple scheme.
If they're reading, perhaps they should consider MD5 or another hash
algorithm.

-steven

----- Original Message -----
From: Mikael Olsson <mikael.olsson () enternet se>
To: Steven Alexander <steve () CELL2000 NET>
Cc: <BUGTRAQ () SECURITYFOCUS COM>
Sent: Wednesday, December 22, 1999 1:27 PM
Subject: Re: [w00giving '99 #11] IMail's password encryption scheme


It would seem that the best solution is to NOT try fixing the
red herring (crypto with locally stored key) problem.

The better solution would be to set the access rights
for the registry keys in question to only allow the user
running the IMail daemons, and the users that are supposed
to be able to locally administrate IMail.

Am I right or am I right?

(Btw, you can do this yourself; you don't have to wait
for ipswitch to release a fix)

/Mike

Current thread:

[w00giving '99 #11] IMail's password encryption scheme Matt Conover (Dec 20)
- Re: [w00giving '99 #11] IMail's password encryption scheme Steven Alexander (Dec 21)
  - Warning to Bugtraq posters. Steven Alexander (Dec 22)
    - Re: Warning to Bugtraq posters. Richard M. Smith (Dec 23)
  - Re: [w00giving '99 #11] IMail's password encryption scheme Mikael Olsson (Dec 22)
    - Re: [w00giving '99 #11] IMail's password encryption scheme Steven Alexander (Dec 22)
  - Re: [w00giving '99 #11] IMail's password encryption scheme Benjamin Congdon (Dec 22)
    - Re: [w00giving '99 #11] IMail's password encryption scheme Steven Alexander (Dec 23)
    - FYI, SCO Security patches available. Aaron Sigel (Dec 23)
  - Local / Remote GET Buffer Overflow Vulnerability in ZBServer 1.5 Pro Edition for Win98/NT Ussr Labs (Dec 22)
    - Re: Local / Remote GET Buffer Overflow Vulnerability in ZBServer 1.5 Pro Edition for Win98/NT Chris (Dec 23)
- Lotus Notes HTTP cgi-bin vulnerability: possible workaround Bram Kerkhof (Dec 22)