home *** CD-ROM | disk | FTP | other *** search
- Date: Fri, 4 Sep 1998 16:38:13 +0100
- From: Mnemonix <mnemonix@GLOBALNET.CO.UK>
- Subject: SL-Mail ver 3.0.2423 security
-
- Hi,
-
- I thought I'd write to advise of a security issue with SLMail version
- 3.0.3423. Other versions may also be affected.
-
- During the install you choose whether the passowrd is set to the account
- name, "password" or blank. Which ever is chosen an encrypted password is
- stored in the registry under the following key:
-
- HKLM\Software\Seattle Lab\SLMail\Users
-
- By default, the "Everyone" group has the ability to "set value". Therefore
- it is possible for "Everyone" to:
-
- a) Create their own account
- b) Create their own alias to another account (eg root)
- c) Change the passwords on other peoples accounts.
-
- Point C is interesting in the fact that if the password is set to "NULL"
- (eg, u;;ac_name.mbx;;) you can still log in with it to POP3. Why do I
- consider this strange? Because if you choose a "blank" password during the
- install a password is still created that decrypts to "blank" / "NULL". I'd
- suggest that if the password is "Nulled out" that it should not be possible
- to log in with this account until the password is reset by the admin.
-
- There are also problems with the encryption method used. Below are some
- accounts and their password (when "UserID" is used as the password.)
-
- u;;aaaaaa.mbx; aa aa aa aa 1m Ym Wm Hl Vi Cl Qa hg;
- u;;aaaaa.mbx; aa aa aa an 1m Ym Wm Hl Vi Cl Qa 0l;
- u;;aaaa.mbx; aa aa am hn 1m Ym Wm Hl Vi Cl Qa vg;
- u;;aaa.mbx; aa aa 2m hn 1m Ym Wm Hl Vi Cl Qa ck;
- u;;aa.mbx; aa qo 2m hn 1m Ym Wm Hl Vi Cl Qa de;
- u;;a.mbx; au zw GO rS ev Ju rv Wt or Tk lb Os;
-
- u;;bbbbbb.mbx; aa aa aa aa 2m bm Zm sl Si Vl Pa 0g;
- u;;bbbbb.mbx; aa aa aa Wn 2m bm Zm sl Si Vl Pa 3l;
- u;;bbbb.mbx; aa aa am 0n 2m bm Zm sl Si Vl Pa Mg;
- u;;bbb.mbx; aa aa 1m 0n 2m bm Zm sl Si Vl Pa bk;
- u;;bb.mbx; aa Go 1m 0n 2m bm Zm sl Si Vl Pa We;
- u;;b.mbx; au zw GO rS ev Ju rv Wt or Tk lb ys;
-
- u;;"19 c's".mbx; aa aa aa aa aa aa aa aa aa aa a4 7k;
- u;;"16 c's".mbx; aa aa aa aa aa aa aa aa aa aa ae Ze;
- u;;"15 c's".mbx; aa aa aa aa aa aa aa aa aa aa Oa mj;
- u;;"14 c's".mbx; aa aa aa aa aa aa aa aa aa Wl Oa Tc;
- u;;"13 c's".mbx; aa aa aa aa aa aa aa aa ai +l Oa +j;
- u;;"12 c's".mbx; aa aa aa aa aa aa aa aa Ti +l Oa -c;
- u;;"9 c's".mbx; aa aa aa aa aa aa Ym dl Ti +l Oa 6i;
- u;;"8 c's".mbx; aa aa aa aa aa qm Ym dl Ti +l Oa 7e;
-
-
- u;;a.mbx; au zw GO rS ev Ju rv Wt or Tk lb Os;
- u;;b.mbx; au zw GO rS ev Ju rv Wt or Tk lb ys;
- u;;c.mbx; au zw GO rS ev Ju rv Wt or Tk lb is;
- u;;d.mbx; au zw GO rS ev Ju rv Wt or Tk lb 4t;
- u;;e.mbx; au zw GO rS ev Ju rv Wt or Tk lb Ot;
- u;;f.mbx; au zw GO rS ev Ju rv Wt or Tk lb yt;
- u;;g.mbx; au zw GO rS ev Ju rv Wt or Tk lb it;
- u;;h.mbx; au zw GO rS ev Ju rv Wt or Tk lb 4q;
- u;;i.mbx; au zw GO rS ev Ju rv Wt or Tk lb Oq;
- u;;j.mbx; au zw GO rS ev Ju rv Wt or Tk lb yq;
- u;;k.mbx; au zw GO rS ev Ju rv Wt or Tk lb iq;
- u;;l.mbx; au zw GO rS ev Ju rv Wt or Tk lb 4r;
- u;;m.mbx; au zw GO rS ev Ju rv Wt or Tk lb Or;
- u;;n.mbx; au zw GO rS ev Ju rv Wt or Tk lb yr;
- u;;o.mbx; au zw GO rS ev Ju rv Wt or Tk lb ir;
- u;;p.mbx; au zw GO rS ev Ju rv Wt or Tk lb 4w;
- u;;q.mbx; au zw GO rS ev Ju rv Wt or Tk lb Ow;
- u;;r.mbx; au zw GO rS ev Ju rv Wt or Tk lb yw;
- u;;s.mbx; au zw GO rS ev Ju rv Wt or Tk lb iw;
-
-
- (incidently if the account is one alphanumeric long and "UserID" is chosen
- as the password the passwords don't decrypt and login fails)
-
- Depending on the ACLs set on the winreg key (if present) these changes
- could be affected remotely, though in most cases local access may be
- needed. Admins should set the ACLs on the SLMail subkey if they don't want
- this to be an issue and physical security can not be implemented.
-
- L8r
- Mnemonix
- http://www.infowar.co.uk/digital-eclipse
- http://www.users.globalnet.co.uk/~mnemonix
-