Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

ns4.5-mail-passwd.txt

🗓️ 17 Aug 1999 00:00:00Reported by Packet StormType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 53 Views

Netscape Communicator 4.5 stores mail passwords insecurely in preferences.js file.

Code
`Date: Wed, 4 Nov 1998 18:29:55 +0100  
From: Holger van Lengerich <[email protected]>  
To: [email protected]  
Subject: Communicator 4.5 stores EVERY mail-password in preferences.js  
  
Hi!  
  
The Netscape Communicator 4.5 stores the crypted version of used  
mail-passwords (for imap and pop3) even if you tell Netscape to *not*  
"remember password" in the preferences dialog.  
  
Damage:  
=======  
IMHO this means, that anybody who can read your preferences.js ("prefs.js"  
in the MS dominion) is problably able to read your mail or even get your  
plaintext-password.  
  
How to reproduce:  
=================  
- start Communicator  
- be sure "remember password" is disabled in the preferences dialog for the  
"Incoming Mail Server".  
- get mails from Server (you get asked for your mail-password)  
- exit Communicator  
- edit preferences.js in $HOME/.netscape (MS-Users: prefs.js in your  
NS-Profile-Path)  
- search for something like:  
--- 8< ---  
user_pref("mail.imap.server.mail.password", "cRYpTPaSswD=");  
user_pref("mail.imap.server.mail.remember_password", false);  
--- >8 ---  
- Now change "false" to "true".  
- Save the file  
- Start Communicator  
- get mails  
  
... now you are not asked for any password but can read all your mail! :(  
  
Affected:  
=========  
probably all Communicator-4.5-packages on ALL operating systems.  
  
I was able to reproduce this behavior on:  
- Sun Solaris  
- Linux (glibc2)  
- MS Windows NT.  
  
Workaround:  
===========  
Don't use Communicator 4.5 to fetch mails from your IMAP/POP server or be  
very sure that no one can read your Netscape-preferences-file!!!  
  
Regards,  
Holger van Lengerich, "pine"-user :)  
  
PS: The preferences.js is send to Netscape on Communicator-crash, isn't it?  
----------------------------------------------------------------------------  
Holger van Lengerich - University of Paderborn - Dept. of Computer Science  
System-Administration - Warburger Str. 100 - D 33098 Paderborn - Germany  
mailto:[email protected] - http://www.uni-paderborn.de/admin/gimli  
  
  
----------------------------------------------------------------------------  
  
Date: Wed, 4 Nov 1998 17:20:27 -0600  
From: HD Moore <[email protected]>  
To: [email protected]  
Subject: Re: Communicator 4.5 stores EVERY mail-password in preferences.js  
  
In the Windows environment prefs.js isnt the only place that your password  
is stored. Netscape also creates a registry entry for your password  
(garbled as well) that any admin on your local LAN (or some cracker over the  
internet) can read by remotely connecting to your registry. The path it is  
stored in is:  
  
HKEY_CURRENT_USER\Software\Netscape\Netscape Navigator\biff\users\<profile  
name>\servers\<mail server hostname>\password  
  
This is with the 'dont save password option' checked on 4.5 (netscape.exe  
internal version: 4.50.2.19)  
  
By any chance does anyone know how the password is encrypted or how strong  
of encryption is used?  
  
I also managed to copy that registry entry onto a separate computer (while  
messenger was already open and I had checked my mail once), changed the  
hostname of the mail server entry to match and successfully retrieved mail  
with that account while sniffing the plain text pop3 pass over my dialup...  
  
---------------------------------------------------------------------------  
  
Date: Sat, 7 Nov 1998 11:41:31 +0100  
From: Holger van Lengerich <[email protected]>  
To: [email protected]  
Subject: NS-C4.5 & Mail-Passwords  
  
Hi,  
  
It turned out, that only IMAP-Passwords are stored in the preferences.js  
after the Communicator process is correctly terminated. POP passwords are  
stored in preferences.js, at the first time you fetch mail from the server  
and cleared at Communicator exit. This happened using C4.5 on Sun Solaris.  
Some of you may reproduce this for other OS's and send me any feedback (NOT  
via bugtraq).  
  
Even this is a security problem:  
- Using an multiuser-OS like Unix: an evil user may access the preferences  
file, while you are working with Communicator.  
- Files may be accessible via network shares.  
- In a crash situation the password may not be cleared from the  
preferences.js  
- In this case the "Quality Feedback Agent" (QFA) may, if you allow him to  
do so, transfer the preferences.js (w. crypted password) via Internet,  
(readable at any host on the way to Netscape Corp.)  
  
Be aware that the encryption of the password gives *NO* security. You don't  
need to know the decryption-algorithm, because Communicator itself can  
do the decryption for you. By using a packet sniffer (like HD-MOORE) or  
setting up a patched IMAP-/POP-Server with a password logging facility, you  
can easily get the plaintext-passwords.  
  
Regards,  
Holger van Lengerich  
  
----------------------------------------------------------------------------  
Holger van Lengerich - University of Paderborn - Dept. of Computer Science  
System-Administration - Warburger Str. 100 - D 33098 Paderborn - Germany  
mailto:[email protected] - http://www.uni-paderborn.de/admin/gimli  
  
----------------------------------------------------------------------------  
  
Date: Fri, 6 Nov 1998 16:07:45 -0800  
From: Thievco <[email protected]>  
To: [email protected]  
Subject: Re: Which crypto algorithm? was: Communicator 4.5 stores EVERYmail-password in preferences.js (decoder)  
  
>Does anybody know the algorithm used to encrypt the passwords in  
>Communicator??  
  
Apparantly, it takes the plaintext, xors it with a fixed string,  
and base64 encodes the result:  
  
use MIME::Base64;  
print ((decode_base64('NLyIPunfKw==')) ^ ("\x56" . "\xc9" . "\xef" .  
"\x4a" . "\x9b" . "\xbe" . "\x5a"));  
  
You need the MIME perl module.  
  
This one is good up to 7 characters, because that's how long a couple of  
POP passwords I have are :)  
  
Should be pretty straightforward to extend beyond 7 characters.. just take  
the encoded string from the prefs file, base64 decode it, and xor it with  
your password in plaintext. What you'll get is the fixed string to xor  
with.. just extend the bytes I have above. The sequence of bytes is  
non-obvious as to the meaning (at least to me.) It doesn't spell anything  
in ASCII. Let me know if it doesn't work on your passwords.. I'm curious.  
I only had a couple to try.  
  
BB  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
17 Aug 1999 00:00Current
7.4High risk
Vulners AI Score7.4
netscape communicatormail password storagepreferences.js vulnerabilityall operating systemsworkaround suggestion
53