Bugtraq mailing list archives

Netscape password scrambling

From: gem () RSTCORP COM (Gary McGraw)
Date: Mon, 20 Dec 1999 08:02:19 -0500


There has been some minor controversy about the importance and relevance
of the RST cryptanalysis of the Netscape mail password in current
versions of the software.  Previous work on Netscape mail passwords
(among other things) done by Dave Edis and posted to bugtraq exposed a
weak password scrambling attack over a year ago.  Though the algorithm
we discovered is somewhat similar, old password crackers do not work on
the existing system.  Our algorithm is new.  We acknowledge the previous
discoveries and their relation to the one we found independently.

More importantly, some people have claimed that the entire password
saving issue is a red herring since there is no way to protect a secret
on the host.  This criticism is worth thinking about more carefully.  We
suggest that Netscape "raise the bar" by using triple-DES and hiding key
material for the cipher throughout the code.  But can't you just apply
some clever SoftICE to find the key?  Of course you can!  Doing so
requires much more sophistication than simply cracking a "magic decoder
ring" scrambler, however.

In any case, here is a scenario that makes a strong point for raising
the bar.  Consider the case of a Web-based Javascript attack that is
able to steal a file remotely but not do any other file modification.
Based on Richard Smith's work, we have a working Javascript attack
against the latest MSIE that is capable of stealing files, including
preferences files with the scrambled password.  There are similar
Javascript attacks against Netscape versions 4.0-4.05 (old).
Descrambling the password using our discovery is trivial.  Together, the
two exploits allow an attacker to steal a password remotely without
having to install a sniffer on a local LAN to snag the plaintext
password as it goes by (at least with POP3...IMAP has better optional
protection).  That's why we think it is worth raising the bar.

There is no perfect solution to this problem of wanting to make life
easy for users by remembering their password on the client.  But a good
solution is a far cry better than a bad one.

gem

Gary McGraw, Ph.D    gem () rstcorp com
Vice President, Corporate Technology
Reliable Software Technologies
Dulles, VA
<http://www.rstcorp.com/~gem>
<http://www.securingjava.com>

Current thread:

BindView Security Advisory: Vulnerability in Windows NT's SYSKEY feature, (continued)
- - - BindView Security Advisory: Vulnerability in Windows NT's SYSKEY feature BindView Security Advisory (Dec 16)
    - Cisco Security Advisory: Cisco Cache Engine Authentication Vulnerabilities security-alert () CISCO COM (Dec 16)
    - Reinventing the wheel (aka "Decoding Netscape Mail passwords") Vanja Hrustic (Dec 15)
    - Re: Reinventing the wheel (aka "Decoding Netscape Mail passwords") John Viega (Dec 16)
    - Re: Reinventing the wheel (aka "Decoding Netscape Mail passwords") Tim Hollebeek (Dec 16)
    - Re: Reinventing the wheel (aka "Decoding Netscape Mail passwords") Aleph One (Dec 16)
    - ssh/rsaref bo exploit code Iván Arce (Dec 16)
    - Re: Reinventing the wheel (aka "Decoding Netscape Mail passwords") Rob Jones (Dec 16)
    - More on Red Hat 6.1 sysklogd David F. Skoll (Dec 19)
    - Security vulnerability in certain wu-ftpd (and derivitives) configurations (fwd) suid (Dec 19)
    - Netscape password scrambling Gary McGraw (Dec 20)
    - Re: Reinventing the wheel (aka "Decoding Netscape Mail passwords") Holger van Lengerich (Dec 20)
    - Microsoft Security Bulletin (MS99-059) Microsoft Product Security (Dec 20)
    - (Possible) Linuxconf Remote Buffer Overflow Vulnerability Elias Levy (Dec 21)
    - Infoseek Ultraseek Remote Buffer Overflow luciano (Dec 16)
    - Re: Infoseek Ultraseek Remote Buffer Overflow Marc (Dec 16)
  - Re: sadmind exploits (remote sparc/x86) Casper Dik (Dec 10)