Bugtraq mailing list archives
Re: Reinventing the wheel (aka "Decoding Netscape Mail passwords")
From: robert.e.jones () CWO COM AU (Rob Jones)
Date: Fri, 17 Dec 1999 16:04:10 +1100
case Netscape needs to run out and get a bar so they can raise it.This is a red herring. Local secure storage of secrets in PCs without another
I dont know if it applies to windoze but the Linux & xBSD versions of netscape store the 'encoded' (not encrypted) password even if the user never ticks the remember password box. Now that Netscape should fix!
Local secure storage of secrets is a service that needs to be provided by the operating system. In the case of Windows NT you can store them (with some limitations) using the Local System Authority (LSA) API. Under Windows 95/98 there is an API to store secrets using the users logon password (stores the secrets in .PWL files) but to my knowledge it is not documented by Microsoft (although they allude to it in some early Windows 95 presentation slides). Maybe someone with more knowledge of Microsoft operating systems can confirm?
Regardless of if the secrets are encoded with the users password they are decodable anyway. There are plenty of password extractors for .pwl files. Rob
Current thread:
- Re: ssh-1.2.27 exploit, (continued)
- Re: ssh-1.2.27 exploit Beto (Dec 15)
- FreeBSD 3.3 xsoldier root exploit Brock Tellier (Dec 15)
- Xsoldier xploit (was: FreeBSD 3.3 xsoldier root exploit) Spidey (Dec 15)
- BindView Security Advisory: Vulnerability in Windows NT's SYSKEY feature BindView Security Advisory (Dec 16)
- Cisco Security Advisory: Cisco Cache Engine Authentication Vulnerabilities security-alert () CISCO COM (Dec 16)
- Reinventing the wheel (aka "Decoding Netscape Mail passwords") Vanja Hrustic (Dec 15)
- Re: Reinventing the wheel (aka "Decoding Netscape Mail passwords") John Viega (Dec 16)
- Re: Reinventing the wheel (aka "Decoding Netscape Mail passwords") Tim Hollebeek (Dec 16)
- Re: Reinventing the wheel (aka "Decoding Netscape Mail passwords") Aleph One (Dec 16)
- ssh/rsaref bo exploit code Iván Arce (Dec 16)
- Re: Reinventing the wheel (aka "Decoding Netscape Mail passwords") Rob Jones (Dec 16)
- More on Red Hat 6.1 sysklogd David F. Skoll (Dec 19)
- Security vulnerability in certain wu-ftpd (and derivitives) configurations (fwd) suid (Dec 19)
- Netscape password scrambling Gary McGraw (Dec 20)
- Re: Reinventing the wheel (aka "Decoding Netscape Mail passwords") Holger van Lengerich (Dec 20)
- Microsoft Security Bulletin (MS99-059) Microsoft Product Security (Dec 20)
- (Possible) Linuxconf Remote Buffer Overflow Vulnerability Elias Levy (Dec 21)
- Infoseek Ultraseek Remote Buffer Overflow luciano (Dec 16)
- Re: Infoseek Ultraseek Remote Buffer Overflow Marc (Dec 16)