Possible Netscape Crypto Security Flaw
Haze (Haze@BEER.COM)
Sun, 14 Feb 1999 21:13:46 -0600
When you go into Netscape Messenger and check your mail, the software
stores the password you used in the registry and encrypts it. It remains
there for as long as netscape is open. The login and password is kept
in:
HKEY_CURRENT_USER\Software\Netscape\Netscape Navigator\biff\users\
username(varies)\servers\
Here is the scenario...
Let's say Regular Joe A runs Netscape and then checks his email first
off...
He checks it,enters his password, and his password is stored in the
registry...
Let's say after he gets done checking his mail, he doesn't close
netscape and decides
to browse the web. He comes up along Malicious Site A which contains a
malicious
javascript code to read his local registry files and retrieve his mail
server login(unencrypted), encrypted password, and his mail server. Well
then the cracker could perform a brute force crack on the encryption and
attempt to gain access to the Regular Joe A's ISP and/or pop3 e-mail
account...
---------------------------------------------------------------------------
Re: Possible Netscape Crypto Security Flaw
HD Moore (hdmoore@USA.NET)
Tue, 16 Feb 1999 13:02:08 -0600
First of all, if someone can access your registry files via a
javascript, you have worse problems to deal with.
The storing of the mail password in the registry was mentioned in a post
of mine that can be found at:
http://geek-girl.com/bugtraq/1998_4/0344.html
The password is *still* in the registry after you close netscape,
keeping netscape open is not required. If they could access your
registry files to begin with, why not save the trouble of digging it out
and just snag prefs.js / preferences.js?
Anyways, my 2 cents..
-HD
---------------------------------------------------------------------------
Re: Possible Netscape Crypto Security Flaw
Pete Krawczyk (pkrawczy@UIUC.EDU)
Tue, 16 Feb 1999 11:07:05 -0600
At 09:13 PM 2/14/99 -0600, Haze wrote:
>Well
>then the cracker could perform a brute force crack on the encryption and
>attempt to gain access to the Regular Joe A's ISP and/or pop3 e-mail
>account...
To get to the POP3 account, you'd only need to put the password in a
registry key of your own, then check the mail. I would imagine that the
key to encrypt is the same across all copies of Netscape.
Along those lines, if you had a sniffer next to the computer you put the
encrypted password on, you could sniff the real password in transit and
thus not have to brute force attack the password, since POP3 is cleartext
traffic.
-Pete K
--
Pete Krawczyk http://www.uiuc.edu/ph/www/pkrawczy/
pkrawczy at uiuc dot edu Finger the 2nd address for PGP Public Key
petek at bsod dot net "No spammies, no spammies, no spammies... stop!"
(
geocities.com/dharan6/library) (
geocities.com/dharan6)