slmail3.txt

`Date: Fri, 4 Sep 1998 16:38:13 +0100  
From: Mnemonix <[email protected]>  
Subject: SL-Mail ver 3.0.2423 security  
  
Hi,  
  
I thought I'd write to advise of a security issue with SLMail version  
3.0.3423. Other versions may also be affected.  
  
During the install you choose whether the passowrd is set to the account  
name, "password" or blank. Which ever is chosen an encrypted password is  
stored in the registry under the following key:  
  
HKLM\Software\Seattle Lab\SLMail\Users  
  
By default, the "Everyone" group has the ability to "set value". Therefore  
it is possible for "Everyone" to:  
  
a) Create their own account  
b) Create their own alias to another account (eg root)  
c) Change the passwords on other peoples accounts.  
  
Point C is interesting in the fact that if the password is set to "NULL"  
(eg, u;;ac_name.mbx;;) you can still log in with it to POP3. Why do I  
consider this strange? Because if you choose a "blank" password during the  
install a password is still created that decrypts to "blank" / "NULL". I'd  
suggest that if the password is "Nulled out" that it should not be possible  
to log in with this account until the password is reset by the admin.  
  
There are also problems with the encryption method used. Below are some  
accounts and their password (when "UserID" is used as the password.)  
  
u;;aaaaaa.mbx; aa aa aa aa 1m Ym Wm Hl Vi Cl Qa hg;  
u;;aaaaa.mbx; aa aa aa an 1m Ym Wm Hl Vi Cl Qa 0l;  
u;;aaaa.mbx; aa aa am hn 1m Ym Wm Hl Vi Cl Qa vg;  
u;;aaa.mbx; aa aa 2m hn 1m Ym Wm Hl Vi Cl Qa ck;  
u;;aa.mbx; aa qo 2m hn 1m Ym Wm Hl Vi Cl Qa de;  
u;;a.mbx; au zw GO rS ev Ju rv Wt or Tk lb Os;  
  
u;;bbbbbb.mbx; aa aa aa aa 2m bm Zm sl Si Vl Pa 0g;  
u;;bbbbb.mbx; aa aa aa Wn 2m bm Zm sl Si Vl Pa 3l;  
u;;bbbb.mbx; aa aa am 0n 2m bm Zm sl Si Vl Pa Mg;  
u;;bbb.mbx; aa aa 1m 0n 2m bm Zm sl Si Vl Pa bk;  
u;;bb.mbx; aa Go 1m 0n 2m bm Zm sl Si Vl Pa We;  
u;;b.mbx; au zw GO rS ev Ju rv Wt or Tk lb ys;  
  
u;;"19 c's".mbx; aa aa aa aa aa aa aa aa aa aa a4 7k;  
u;;"16 c's".mbx; aa aa aa aa aa aa aa aa aa aa ae Ze;  
u;;"15 c's".mbx; aa aa aa aa aa aa aa aa aa aa Oa mj;  
u;;"14 c's".mbx; aa aa aa aa aa aa aa aa aa Wl Oa Tc;  
u;;"13 c's".mbx; aa aa aa aa aa aa aa aa ai +l Oa +j;  
u;;"12 c's".mbx; aa aa aa aa aa aa aa aa Ti +l Oa -c;  
u;;"9 c's".mbx; aa aa aa aa aa aa Ym dl Ti +l Oa 6i;  
u;;"8 c's".mbx; aa aa aa aa aa qm Ym dl Ti +l Oa 7e;  
  
  
u;;a.mbx; au zw GO rS ev Ju rv Wt or Tk lb Os;  
u;;b.mbx; au zw GO rS ev Ju rv Wt or Tk lb ys;  
u;;c.mbx; au zw GO rS ev Ju rv Wt or Tk lb is;  
u;;d.mbx; au zw GO rS ev Ju rv Wt or Tk lb 4t;  
u;;e.mbx; au zw GO rS ev Ju rv Wt or Tk lb Ot;  
u;;f.mbx; au zw GO rS ev Ju rv Wt or Tk lb yt;  
u;;g.mbx; au zw GO rS ev Ju rv Wt or Tk lb it;  
u;;h.mbx; au zw GO rS ev Ju rv Wt or Tk lb 4q;  
u;;i.mbx; au zw GO rS ev Ju rv Wt or Tk lb Oq;  
u;;j.mbx; au zw GO rS ev Ju rv Wt or Tk lb yq;  
u;;k.mbx; au zw GO rS ev Ju rv Wt or Tk lb iq;  
u;;l.mbx; au zw GO rS ev Ju rv Wt or Tk lb 4r;  
u;;m.mbx; au zw GO rS ev Ju rv Wt or Tk lb Or;  
u;;n.mbx; au zw GO rS ev Ju rv Wt or Tk lb yr;  
u;;o.mbx; au zw GO rS ev Ju rv Wt or Tk lb ir;  
u;;p.mbx; au zw GO rS ev Ju rv Wt or Tk lb 4w;  
u;;q.mbx; au zw GO rS ev Ju rv Wt or Tk lb Ow;  
u;;r.mbx; au zw GO rS ev Ju rv Wt or Tk lb yw;  
u;;s.mbx; au zw GO rS ev Ju rv Wt or Tk lb iw;  
  
  
(incidently if the account is one alphanumeric long and "UserID" is chosen  
as the password the passwords don't decrypt and login fails)  
  
Depending on the ACLs set on the winreg key (if present) these changes  
could be affected remotely, though in most cases local access may be  
needed. Admins should set the ACLs on the SLMail subkey if they don't want  
this to be an issue and physical security can not be implemented.  
  
L8r  
Mnemonix  
http://www.infowar.co.uk/digital-eclipse  
http://www.users.globalnet.co.uk/~mnemonix  
`