Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: Network Solutions Crypt-PW Authentication-Scheme vulnerability
From: Peter W <peterw () usa net>
Date: Fri, 8 Jun 2001 16:06:02 -0400

On Fri, Jun 08, 2001 at 12:37:34AM -0700, Peter Ajamian wrote:

While crypt password authentication is not in and of itself very secure,
Network Sulotions have made it even less so by including the first two
characters of the password as the salt of the encrypted form.  While the
password is transmitted via a secure session, the encrypted form is
returned almost immediately in a non-encrypted www session.  Also, this
password is typically emailed back and forth to the user no less than two
times (and often times more).  This allows several opportunities for
someone to observe the encrypted password, this in and of itself is not
good.

Plus when you submit a change request template, your email contains the 
plaintext password. :-(

And that's the problem: not the crypt routine, but the cleartext data xfer.

Possible Workarounds:

Do not use the Crypt-PW authentication-scheme.  Instead use the MAIL_FROM
or PGP scheme instead.

If someone attempts to make changes to a domain with a Network Solutions
old-style[0] admin or billing handle, Network Solutions will email the
responsible handle's address. With MAIL_FROM, the email address is availble
via a whois query. Easily obtained, easily spoofed, and if you get cracked,
you have to get NetSol involved to clean up. *Do NOT use mail_from!!!*

You're in just as much trouble if someone gets your encrypted NetSol 
CRYPT-PW password. But, unlike the email address, the encrypted password is 
not readiliy available. An attacker without the encrypted password can only 
attempt to guess the password. And the attacker must send a change request 
to test their guess. And you get emailed each time they try. The only 
effective way to crack a CRYPT-PW handle is to sniff the email channel [so 
the Echelon folks probably know all our NetSol CRYPT-PW passwords ;-)].

Which gets us to footnote [0]: for many months, Network Solutions has been 
using a fully Web-based system for domain/handle maintenance.

So to the extext you're concerned about CRYPT_PW, I'd suggest two viable 
alternatives: change the authentication method to PGP (very easy), or create 
new NIC handles for the Web-based management system and transfer your 
domains' contact handles to the Web-based handles. Those with many domains 
will likely find the Web-based interface annoying, especially for batch 
updates.

But for goodness' sake, do *not* use MAIL_FROM !!!

-Peter

If you must use CRYPT-PW then the following suggestions are recommended:

Changing your password means sending the cleartext value to NetSol via 
email. So changing your password involves risk. :-(


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]