Type packetstorm
Reporter Packet Storm
Modified 1999-08-17T00:00:00


                                            `Date: Sat, 15 May 1999 12:42:12 +0000  
From: galldor <galldor@UKONLINE.CO.UK>  
Subject: Pegasus Mail weak encryption  
Pegasus Mail Weak Encryption  
Versions Effected: ALL (but I wrote about the V2 encryption on  
Bug Found by: galldor (  
Versions tested: V1 and V2 of the password Encryption  
Brief Description: There is Weak Encryption on Pegasus Mail  
which allows users to read pop3 passwords.  
I've found extreamly weak encryption in the Pegasus Mail Client,  
This can be cracked with ease which means any user could find  
out othere peoples POP3 Passwords.  
The POP3 Passwords are kept in the \mail\USER\pmail.ini  
so c:\pmail\mail\g00f\pmail.ini would give the user g00f's  
configuration file.  
the file looks something like this:  
[Pegasus Mail for Windows - built-in TCP/IP Mail]  
Host where POP3 mail account is located =  
POP3 mail account (username on host) = g00f  
V2 Password for POP3 mail account = $moL  
Delete downloaded mail from host = Y  
Largest message size to retrieve = 0  
Directory to place incoming POP3 mail = C:\PMAIL\MAIL\g00f  
Transport control word = 66308  
SMTP relay host for outgoing mail =  
Search mask to locate outgoing messages  
= C:\PMAIL\MAIL\g00f\*.PMX  
Alternative From: field for message =  
As this text file is world read/writable a user could easley edit the  
file so messages go to a new directory or choose not to delete  
pop3 mail from host.  
But the main problem is the weak encryption on the V2 Password.  
This is a very simple algerithum.  
It is encrypted as follows.  
The letter itself.  
The placement of the letter in the password.  
V2 encrypts so that there is the same amount of letters/numbers  
as in the pass.  
Cracking It:  
I won't go into that much detail as it is so simple, if someone could  
be bothered they could write a small C program to do this.  
First you have to Ignore the $ completely. The letters and Numbers  
after the $ are the encrypted values of the password so anything  
after the $ is also the size of the password.  
Here are a few examples of how to crack it and how the encryption  
a = $m # Just testing....  
aa = $mo  
aaa = $moL  
b = $R  
bb = $R?  
bbb = £R?8  
# As you can see the weak encryption is already showing as the  
encryption dosn't even encrypt by the number of letters.  
# The Encryption works like this  
1st Letter placement of a = m  
2nd Letter placement of a = o  
3rd Letter placement of a = L  
etc etc  
So to find aab it would be as followed:  
aab = 1st a + 2nd a + 3rd b (which) = mo8 # so in the ini the pass  
will be $mo8  
abb = 1st a + 2nd b + 3rd b = $m?8  
So you could now find out:  
bab = $Ro8  
As pegasus is a popular mail client on Windows Networks this  
could mean a compromise of security as most pop3 passwords are  
the same as the telnet/ssh etc.  
Older versions of pegasus use the same kind of encryption it is set  
out the same but just uses differnet numbers and letters to encrypt.