imail.passwd.txt

`Date: Thu, 4 Mar 1999 22:30:42 -0800  
From: Steven Alexander <[email protected]>  
To: [email protected]  
Subject: IMAIL password recovery is trivial.  
  
  
The user passwords for Ipswitch's IMail server are stored in  
encrypted(sorta) form in the Windows NT registry.  
(HKEY_LOCAL_MACHINE\SOFTWARE\Ipswitch\IMail\Domains\yourdomain\users\) The  
scheme used to protect the password seems to only be intended to deter the  
curious user.  
  
IMail adds the value of the first character of the username with the value  
of the first character of the password. It then puts the sum of the two in  
hex into the registry. It then repeats this with the second letters of both  
the username and the password. If the password is longer than the username,  
the username is repeated.  
  
Example:  
  
username: test  
encrypted-password: BD D4 EA E2 ED D4 E8  
the hex values of the username are: 74 65 73 74  
  
hence:  
  
BD D4 EA E2 ED D4 E8  
-74 -65 -73 -74 -74 -65 -73  
  
= 49 6F 77 6E 79 6F 75  
= Iownyou  
  
No decent product should be using methods like this. This is not simply a  
misimplementation of a strong method, it is a perfect example of a vendor  
trying to cut corners. If someone has access to the mail server and is able  
to access the registry(which users are able depends on your configuration)  
all of the IMail passwords can be recovered. This could also be used to  
build a dictionary for tools such as L0pht Crack and/or to compromise  
Administrator accounts.  
  
Steven Alexander  
[email protected]  
  
`