Pegasus Mail weak encryption

[galldor () UKONLINE CO UK (galldor)]

---------------------------------------------------------------------
Pegasus Mail Weak Encryption
Versions Effected: ALL (but I wrote about the V2 encryption on
3.0+)
Bug Found by: galldor (galldor () microhack com)
Versions tested: V1 and V2 of the password Encryption
Brief Description: There is Weak Encryption on Pegasus Mail
which allows users to read pop3 passwords.
---------------------------------------------------------------------

I've found extreamly weak encryption in the Pegasus Mail Client,
This can be cracked with ease which means any user could find
out othere peoples POP3 Passwords.

The POP3 Passwords are kept in the \mail\USER\pmail.ini
so c:\pmail\mail\g00f\pmail.ini would give the user g00f's
configuration file.
the file looks something like this:

[Pegasus Mail for Windows - built-in TCP/IP Mail]
Host where POP3 mail account is located   = g00fey.com
POP3 mail account (username on host)      = g00f
V2 Password for POP3 mail account          = $moL
Delete downloaded mail from host              = Y
Largest message size to retrieve                = 0
Directory to place incoming POP3 mail      = C:\PMAIL\MAIL\g00f
Transport control word                              = 66308
SMTP relay host for outgoing mail             = g00fey.com
Search mask to locate outgoing messages
 = C:\PMAIL\MAIL\g00f\*.PMX
Alternative From: field for message       = galldor () microhack com

As this text file is world read/writable a user could easley edit the
file so messages go to a new directory or choose not to delete
pop3 mail from host.
But the main problem is the weak encryption on the V2 Password.
This is a very simple algerithum.

It is encrypted as follows.

The letter itself.
The placement of the letter in the password.
V2 encrypts so that there is the same amount of letters/numbers
as in the pass.

Cracking It:
I won't go into that much detail as it is so simple, if someone could
be bothered they could write a small C program to do this.

First you have to Ignore the $ completely. The letters and Numbers
after the $ are the encrypted values of the password so anything
after the $ is also the size of the password.
Here are a few examples of how to crack it and how the encryption
works.

a = $m  # Just testing....
aa = $mo
aaa = $moL

b = $R
bb = $R?
bbb = £R?8

# As you can see the weak encryption is already showing as the
encryption dosn't even encrypt by the number of letters.

# The Encryption works like this

1st Letter placement of a = m
2nd Letter placement of a = o
3rd Letter placement of a = L

etc etc
So to find aab it would be as followed:

aab = 1st a + 2nd a + 3rd b (which) = mo8 # so in the ini the pass
will be $mo8
abb = 1st a + 2nd b + 3rd b = $m?8

So you could now find out:

bab = $Ro8

As pegasus is a popular mail client on Windows Networks this
could mean a compromise of security as most pop3 passwords are
the same as the telnet/ssh etc.
Older versions of pegasus use the same kind of encryption it is set
out the same but just uses differnet numbers and letters to encrypt.

---------------------------------
Galldor

http://g00fteam.hypermart.net
http://www.microhack.com
---------------------------------