Lucene search
Packet StormPACKETSTORM:15304HistoryAug 17, 1999 - 12:00 a.m.
slmail3.txt
1999-08-1700:00:00
Packet Storm
packetstormsecurity.com
28
`Date: Fri, 4 Sep 1998 16:38:13 +0100
From: Mnemonix <[email protected]>
Subject: SL-Mail ver 3.0.2423 security
Hi,
I thought I'd write to advise of a security issue with SLMail version
3.0.3423. Other versions may also be affected.
During the install you choose whether the passowrd is set to the account
name, "password" or blank. Which ever is chosen an encrypted password is
stored in the registry under the following key:
HKLM\Software\Seattle Lab\SLMail\Users
By default, the "Everyone" group has the ability to "set value". Therefore
it is possible for "Everyone" to:
a) Create their own account
b) Create their own alias to another account (eg root)
c) Change the passwords on other peoples accounts.
Point C is interesting in the fact that if the password is set to "NULL"
(eg, u;;ac_name.mbx;;) you can still log in with it to POP3. Why do I
consider this strange? Because if you choose a "blank" password during the
install a password is still created that decrypts to "blank" / "NULL". I'd
suggest that if the password is "Nulled out" that it should not be possible
to log in with this account until the password is reset by the admin.
There are also problems with the encryption method used. Below are some
accounts and their password (when "UserID" is used as the password.)
u;;aaaaaa.mbx; aa aa aa aa 1m Ym Wm Hl Vi Cl Qa hg;
u;;aaaaa.mbx; aa aa aa an 1m Ym Wm Hl Vi Cl Qa 0l;
u;;aaaa.mbx; aa aa am hn 1m Ym Wm Hl Vi Cl Qa vg;
u;;aaa.mbx; aa aa 2m hn 1m Ym Wm Hl Vi Cl Qa ck;
u;;aa.mbx; aa qo 2m hn 1m Ym Wm Hl Vi Cl Qa de;
u;;a.mbx; au zw GO rS ev Ju rv Wt or Tk lb Os;
u;;bbbbbb.mbx; aa aa aa aa 2m bm Zm sl Si Vl Pa 0g;
u;;bbbbb.mbx; aa aa aa Wn 2m bm Zm sl Si Vl Pa 3l;
u;;bbbb.mbx; aa aa am 0n 2m bm Zm sl Si Vl Pa Mg;
u;;bbb.mbx; aa aa 1m 0n 2m bm Zm sl Si Vl Pa bk;
u;;bb.mbx; aa Go 1m 0n 2m bm Zm sl Si Vl Pa We;
u;;b.mbx; au zw GO rS ev Ju rv Wt or Tk lb ys;
u;;"19 c's".mbx; aa aa aa aa aa aa aa aa aa aa a4 7k;
u;;"16 c's".mbx; aa aa aa aa aa aa aa aa aa aa ae Ze;
u;;"15 c's".mbx; aa aa aa aa aa aa aa aa aa aa Oa mj;
u;;"14 c's".mbx; aa aa aa aa aa aa aa aa aa Wl Oa Tc;
u;;"13 c's".mbx; aa aa aa aa aa aa aa aa ai +l Oa +j;
u;;"12 c's".mbx; aa aa aa aa aa aa aa aa Ti +l Oa -c;
u;;"9 c's".mbx; aa aa aa aa aa aa Ym dl Ti +l Oa 6i;
u;;"8 c's".mbx; aa aa aa aa aa qm Ym dl Ti +l Oa 7e;
u;;a.mbx; au zw GO rS ev Ju rv Wt or Tk lb Os;
u;;b.mbx; au zw GO rS ev Ju rv Wt or Tk lb ys;
u;;c.mbx; au zw GO rS ev Ju rv Wt or Tk lb is;
u;;d.mbx; au zw GO rS ev Ju rv Wt or Tk lb 4t;
u;;e.mbx; au zw GO rS ev Ju rv Wt or Tk lb Ot;
u;;f.mbx; au zw GO rS ev Ju rv Wt or Tk lb yt;
u;;g.mbx; au zw GO rS ev Ju rv Wt or Tk lb it;
u;;h.mbx; au zw GO rS ev Ju rv Wt or Tk lb 4q;
u;;i.mbx; au zw GO rS ev Ju rv Wt or Tk lb Oq;
u;;j.mbx; au zw GO rS ev Ju rv Wt or Tk lb yq;
u;;k.mbx; au zw GO rS ev Ju rv Wt or Tk lb iq;
u;;l.mbx; au zw GO rS ev Ju rv Wt or Tk lb 4r;
u;;m.mbx; au zw GO rS ev Ju rv Wt or Tk lb Or;
u;;n.mbx; au zw GO rS ev Ju rv Wt or Tk lb yr;
u;;o.mbx; au zw GO rS ev Ju rv Wt or Tk lb ir;
u;;p.mbx; au zw GO rS ev Ju rv Wt or Tk lb 4w;
u;;q.mbx; au zw GO rS ev Ju rv Wt or Tk lb Ow;
u;;r.mbx; au zw GO rS ev Ju rv Wt or Tk lb yw;
u;;s.mbx; au zw GO rS ev Ju rv Wt or Tk lb iw;
(incidently if the account is one alphanumeric long and "UserID" is chosen
as the password the passwords don't decrypt and login fails)
Depending on the ACLs set on the winreg key (if present) these changes
could be affected remotely, though in most cases local access may be
needed. Admins should set the ACLs on the SLMail subkey if they don't want
this to be an issue and physical security can not be implemented.
L8r
Mnemonix
http://www.infowar.co.uk/digital-eclipse
http://www.users.globalnet.co.uk/~mnemonix
`