Bugtraq mailing list archives
Re: Network Solutions Crypt-PW Authentication-Scheme vulnerability
From: Peter W <peterw () usa net>
Date: Fri, 8 Jun 2001 16:06:02 -0400
On Fri, Jun 08, 2001 at 12:37:34AM -0700, Peter Ajamian wrote:
While crypt password authentication is not in and of itself very secure, Network Sulotions have made it even less so by including the first two characters of the password as the salt of the encrypted form. While the password is transmitted via a secure session, the encrypted form is returned almost immediately in a non-encrypted www session. Also, this password is typically emailed back and forth to the user no less than two times (and often times more). This allows several opportunities for someone to observe the encrypted password, this in and of itself is not good.
Plus when you submit a change request template, your email contains the plaintext password. :-( And that's the problem: not the crypt routine, but the cleartext data xfer.
Possible Workarounds: Do not use the Crypt-PW authentication-scheme. Instead use the MAIL_FROM or PGP scheme instead.
If someone attempts to make changes to a domain with a Network Solutions old-style[0] admin or billing handle, Network Solutions will email the responsible handle's address. With MAIL_FROM, the email address is availble via a whois query. Easily obtained, easily spoofed, and if you get cracked, you have to get NetSol involved to clean up. *Do NOT use mail_from!!!* You're in just as much trouble if someone gets your encrypted NetSol CRYPT-PW password. But, unlike the email address, the encrypted password is not readiliy available. An attacker without the encrypted password can only attempt to guess the password. And the attacker must send a change request to test their guess. And you get emailed each time they try. The only effective way to crack a CRYPT-PW handle is to sniff the email channel [so the Echelon folks probably know all our NetSol CRYPT-PW passwords ;-)]. Which gets us to footnote [0]: for many months, Network Solutions has been using a fully Web-based system for domain/handle maintenance. So to the extext you're concerned about CRYPT_PW, I'd suggest two viable alternatives: change the authentication method to PGP (very easy), or create new NIC handles for the Web-based management system and transfer your domains' contact handles to the Web-based handles. Those with many domains will likely find the Web-based interface annoying, especially for batch updates. But for goodness' sake, do *not* use MAIL_FROM !!! -Peter
If you must use CRYPT-PW then the following suggestions are recommended:
Changing your password means sending the cleartext value to NetSol via email. So changing your password involves risk. :-(
Current thread:
- Network Solutions Crypt-PW Authentication-Scheme vulnerability Peter Ajamian (Jun 08)
- Re: Network Solutions Crypt-PW Authentication-Scheme vulnerability aleph1 (Jun 08)
- Re: Network Solutions Crypt-PW Authentication-Scheme vulnerability Tyler Walden (Jun 10)
- Re: Network Solutions Crypt-PW Authentication-Scheme vulnerability Barney Wolff (Jun 11)
- Re: Network Solutions Crypt-PW Authentication-Scheme vulnerability Tyler Walden (Jun 10)
- Re: Network Solutions Crypt-PW Authentication-Scheme vulnerability Chris Adams (Jun 10)
- Re: Network Solutions Crypt-PW Authentication-Scheme vulnerability Len Sassaman (Jun 10)
- Re: Network Solutions Crypt-PW Authentication-Scheme vulnerability Peter W (Jun 10)
- Re: Network Solutions Crypt-PW Authentication-Scheme vulnerability Peter Ajamian (Jun 10)
- Re: Network Solutions Crypt-PW Authentication-Scheme vulnerability Peter van Dijk (Jun 10)
- Re: Network Solutions Crypt-PW Authentication-Scheme vulnerability Wichert Akkerman (Jun 11)
- <Possible follow-ups>
- Re: Network Solutions Crypt-PW Authentication-Scheme vulnerability jkohl (Jun 10)
- Re: Network Solutions Crypt-PW Authentication-Scheme vulnerability aleph1 (Jun 08)