Date: Thu, 4 Mar 1999 22:30:42 -0800
From: Steven Alexander <steve@cell2000.net>
To: BUGTRAQ@netspace.org
Subject: IMAIL password recovery is trivial.


The user passwords for Ipswitch's IMail server are stored in
encrypted(sorta) form in the Windows NT registry.
(HKEY_LOCAL_MACHINE\SOFTWARE\Ipswitch\IMail\Domains\yourdomain\users\)  The
scheme used to protect the password seems to only be intended to deter the
curious user.

IMail adds the value of the first character of the username with the value
of the first character of the password.  It then puts the sum of the two in
hex into the registry.  It then repeats this with the second letters of both
the username and the password.  If the password is longer than the username,
the username is repeated.

Example:

username:                      test
encrypted-password:    BD D4 EA E2 ED D4 E8
the hex values of the username are: 74 65 73 74

hence:

    BD     D4    EA     E2    ED    D4     E8
    -74    -65    -73    -74    -74    -65    -73

=  49      6F     77     6E     79     6F     75
= Iownyou

No decent product should be using methods like this.  This is not simply a
misimplementation of a strong method, it is a perfect example of a vendor
trying to cut corners.  If someone has access to the mail server and is able
to access the registry(which users are able depends on your configuration)
all of the IMail passwords can be recovered.  This could also be used to
build a dictionary for tools such as L0pht Crack and/or to compromise
Administrator accounts.

Steven Alexander
steve@cell2000.net