lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
From: andy at selekta.com (andy )
Subject: Re: IpSwitch IMail Server <= ver 8.1 User Password Decryption

<http://www.croftssoftware.com/files/index.php?id=13>

About halfway down the page, there's a utility that'll decode them in nanoseconds, called oddly enough, Decode Imail User Passwords.

andy

>On Mon, 16 Aug 2004, Adik wrote:
>
>> IpSwitch IMail Server version up to 8.1 uses weak encryption algorithm to
>> encrypt its user passwords. Have a look at attached proof of concept tool,
>> which will decrypt user password from local machine instantly.
>
>Heck, this isn't even news. It was posted to Bugtraq a while back. Like 
>1999. This URL details Imail's password scheme for Imail 5.0:
>
>http://seclists.org/bugtraq/1999/Dec/0255.html
>
>About a year ago, I found that article, and used it to "decrypt" a few 
>lost email passwords on my Imail 7.15 installation.
>
>Given the fact that Imail tries to do just about everything (it does POP3, 
>SMTP, IMAP, LDAP, includes a Web server and makes crispy French fries), 
>this sort of thing is probably bound to stay around for a while.
>
>One of the neat things about Imail (other than that it does practically 
>everything) is that it's backwards-compatible. If my Imail 8.1x 
>installation does something weird, I can roll it back to Imail 7.x with 
>maybe fifteen minutes' work. This level of backwards compatibility does 
>lead to weird problems and security issues (q.v. every version of DOS and 
>Windows for about fifteen years).
>
>...dave
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.netsys.com/full-disclosure-charter.html
>
 

 
______________ ______________ ______________ ______________
selekta.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ