Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Sambar Server password decryption

From: 3APA3A <3APA3A () SECURITY NNOV RU>
Date: Wed, 25 Jul 2001 17:45:21 +0400
Hello bugtraq,

Sambar Server (Web/Mail/Proxy for Windows) by default stores
password  encrypted  with blowfish with static built-in key.
(Documentation  states  passwords  can't  be  recovered  but
server  recovers passwords for some needs). There is no even
need  to  discover  this  key  because  Sambar  has decoding
procedure  inside.  Attached  is  simple  program  to launch
decoding.   Copy  it to Sambar's /bin and treat is as a tool
to recover forgotten passwords :)

In config.ini you can set
 Use Unix crypt = true
to make Sambar use crypt()-like non-recoverable DES format.

If  someone  needs  formal  advisory,  it  can  be  found at
http://www.security.nnov.ru/advisories/sambarpass.asp

-- 
http://www.security.nnov.ru
         /\_/\
        { . . }     |\
+--oQQo->{ ^ }<-----+ \
|  3APA3A  U  3APA3A   }
+-------------o66o--+ /
                    |/
You know my name - look up my number (The Beatles)

Attachment: sadecrypt.zip
Description:

Previous By Date Next
Previous By Thread Next

Current thread: