Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: Network Solutions Crypt-PW Authentication-Scheme vulnerability
From: jkohl <jkohl () nc rr com>
Date: Fri, 8 Jun 2001 13:03:37 -0700 (PDT)

On Fri, 08 Jun 2001 00:37:34 -0700 Peter Ajamian <peter () pajamian dhs org>
wrote.
Problem:

While crypt password authentication is not in and of itself very secure,
Network Sulotions have made it even less so by including the first two
characters of the password as the salt of the encrypted form.  While the
password is transmitted via a secure session, the encrypted form is
returned almost immediately in a non-encrypted www session.  Also, this
password is typically emailed back and forth to the user no less than two
times (and often times more).  This allows several opportunities for
someone to observe the encrypted password, this in and of itself is not
good.

<snip>

Peter, great call, I was actually going to post about this myself, but
wasn't sure if this list was the right place for the NS web-based stuff.

There are some additional concerns about their Crypt-PW solution, (which
I've mentioned to them, and they've not done anything about it)...

1) Even though Crypt-PW is supposedly a replacement for MAIL-TO, you still
must have a valid email address to use Crypt-PW...so what IS the point of
having Crypt-PW?  (Especially as it's not secure)

2)  If you do NOT have a valid email address (i.e. dropped account, ect) NS
emails the completed forms (with the entire Auth password) to the address
anyway.  If, especially in the case of some ISPs, they have 'reused' the
login after an extended amount of time, they've just emailed someone else
your encrypted password for your domain.  If not, it's going to go into the
admin no-relay logs, leaving it open to abuse by someone with access to the
mail host.  And, not to leave out Peter's mention of the fact that they are
sending the cleartext mail (with the password) where anyone can view it.

Workarounds...do NOT use Crypt-PW as an authentication, and insure that you
change your domain records *before* losing the account, as Crypt-PW will not
allow you to access or change records if you do not still own the email
address.

Cheers!

Jan Kohl


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]