netscape.passwd.txt

`Possible Netscape Crypto Security Flaw  
  
Haze ([email protected])  
Sun, 14 Feb 1999 21:13:46 -0600   
  
When you go into Netscape Messenger and check your mail, the software  
stores the password you used in the registry and encrypts it. It remains  
there for as long as netscape is open. The login and password is kept  
in:  
HKEY_CURRENT_USER\Software\Netscape\Netscape Navigator\biff\users\  
username(varies)\servers\<mail server>  
  
Here is the scenario...  
  
Let's say Regular Joe A runs Netscape and then checks his email first  
off...  
He checks it,enters his password, and his password is stored in the  
registry...  
Let's say after he gets done checking his mail, he doesn't close  
netscape and decides  
to browse the web. He comes up along Malicious Site A which contains a  
malicious  
javascript code to read his local registry files and retrieve his mail  
server login(unencrypted), encrypted password, and his mail server. Well  
then the cracker could perform a brute force crack on the encryption and  
attempt to gain access to the Regular Joe A's ISP and/or pop3 e-mail  
account...  
  
---------------------------------------------------------------------------  
  
Re: Possible Netscape Crypto Security Flaw  
  
HD Moore ([email protected])  
Tue, 16 Feb 1999 13:02:08 -0600   
  
First of all, if someone can access your registry files via a  
javascript, you have worse problems to deal with.  
  
The storing of the mail password in the registry was mentioned in a post  
of mine that can be found at:  
http://geek-girl.com/bugtraq/1998_4/0344.html  
  
The password is *still* in the registry after you close netscape,  
keeping netscape open is not required. If they could access your  
registry files to begin with, why not save the trouble of digging it out  
and just snag prefs.js / preferences.js?  
  
Anyways, my 2 cents..  
  
-HD  
  
---------------------------------------------------------------------------  
  
Re: Possible Netscape Crypto Security Flaw  
  
Pete Krawczyk ([email protected])  
Tue, 16 Feb 1999 11:07:05 -0600   
  
At 09:13 PM 2/14/99 -0600, Haze wrote:  
>Well  
>then the cracker could perform a brute force crack on the encryption and  
>attempt to gain access to the Regular Joe A's ISP and/or pop3 e-mail  
>account...  
  
To get to the POP3 account, you'd only need to put the password in a  
registry key of your own, then check the mail. I would imagine that the  
key to encrypt is the same across all copies of Netscape.  
  
Along those lines, if you had a sniffer next to the computer you put the  
encrypted password on, you could sniff the real password in transit and  
thus not have to brute force attack the password, since POP3 is cleartext  
traffic.  
  
-Pete K  
--  
Pete Krawczyk http://www.uiuc.edu/ph/www/pkrawczy/  
pkrawczy at uiuc dot edu Finger the 2nd address for PGP Public Key  
petek at bsod dot net "No spammies, no spammies, no spammies... stop!"  
`