--------------------------------------------------------------------- Pegasus Mail Weak Encryption Versions Effected: ALL (but I wrote about the V2 encryption on 3.0+) Bug Found by: galldor (galldorat_private) Versions tested: V1 and V2 of the password Encryption Brief Description: There is Weak Encryption on Pegasus Mail which allows users to read pop3 passwords. --------------------------------------------------------------------- I've found extreamly weak encryption in the Pegasus Mail Client, This can be cracked with ease which means any user could find out othere peoples POP3 Passwords. The POP3 Passwords are kept in the \mail\USER\pmail.ini so c:\pmail\mail\g00f\pmail.ini would give the user g00f's configuration file. the file looks something like this: [Pegasus Mail for Windows - built-in TCP/IP Mail] Host where POP3 mail account is located = g00fey.com POP3 mail account (username on host) = g00f V2 Password for POP3 mail account = $moL Delete downloaded mail from host = Y Largest message size to retrieve = 0 Directory to place incoming POP3 mail = C:\PMAIL\MAIL\g00f Transport control word = 66308 SMTP relay host for outgoing mail = g00fey.com Search mask to locate outgoing messages = C:\PMAIL\MAIL\g00f\*.PMX Alternative From: field for message = galldorat_private As this text file is world read/writable a user could easley edit the file so messages go to a new directory or choose not to delete pop3 mail from host. But the main problem is the weak encryption on the V2 Password. This is a very simple algerithum. It is encrypted as follows. The letter itself. The placement of the letter in the password. V2 encrypts so that there is the same amount of letters/numbers as in the pass. Cracking It: I won't go into that much detail as it is so simple, if someone could be bothered they could write a small C program to do this. First you have to Ignore the $ completely. The letters and Numbers after the $ are the encrypted values of the password so anything after the $ is also the size of the password. Here are a few examples of how to crack it and how the encryption works. a = $m # Just testing.... aa = $mo aaa = $moL b = $R bb = $R? bbb = £R?8 # As you can see the weak encryption is already showing as the encryption dosn't even encrypt by the number of letters. # The Encryption works like this 1st Letter placement of a = m 2nd Letter placement of a = o 3rd Letter placement of a = L etc etc So to find aab it would be as followed: aab = 1st a + 2nd a + 3rd b (which) = mo8 # so in the ini the pass will be $mo8 abb = 1st a + 2nd b + 3rd b = $m?8 So you could now find out: bab = $Ro8 As pegasus is a popular mail client on Windows Networks this could mean a compromise of security as most pop3 passwords are the same as the telnet/ssh etc. Older versions of pegasus use the same kind of encryption it is set out the same but just uses differnet numbers and letters to encrypt. --------------------------------- Galldor http://g00fteam.hypermart.net http://www.microhack.com ---------------------------------
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:46:11 PDT