Details of VAR-199912-0146

ID

VAR-199912-0146

CVE

CVE-1999-1497

TITLE

IMail Weak Password Encryption Vulnerability

Trust: 0.9

sources: BID: 880 // CNNVD: CNNVD-199912-063

DESCRIPTION

Ipswitch IMail 5.0 and 6.0 uses weak encryption to store passwords in registry keys, which allows local attackers to read passwords for e-mail accounts. The encryption scheme used is weak and has been broken. The following description of the mechanism used is quoted from Matt Conover's post to Bugtraq, linked to in full in the Credits section. ENCRYPTION SCHEME Take the lowercase of the account name, split it up by letter and convert each letter to its ASCII equivalent. Next, find the difference between each letter and the first letter. Take each letter of the password, find it's ASCII equivalent and add the offset (ASCII value of first char of the account name minus 97) then subtract the corresponding difference. Use the differences recursively if the password length is greater than the length of the account name. This gives you the character's new ASCII value. Next, Look it up the new ASCII value in the ASCII-ENCRYPTED table (see http://www.w00w00.org/imail_map.txt) and you now have the encrypted letter. Example: Account Name: mike m = 109 i = 105 k = 107 e = 101 Differences: First - First: 0 First - Second: 4 First - Third: 2 First - Fourth: 8 Unencrypted Password: rocks r = 114 o = 111 c = 99 k = 107 s = 115 (ASCII value + offset) - difference: offset: (109 - 97) = 12 (114 + 12) - 0 = 126 (111 + 12) - 4 = 119 (99 + 12) - 2 = 109 (107 + 12) - 8 = 111 (115 + 12) - 0 = 127 126 = DF 119 = D8 109 = CE 111 = D0 127 = E0 Encrypted Password: DFD8CED0E0 The decryption scheme is a little easier. First, like the encryption scheme, take the account name, split it up by letter and convert each letter to its ASCII equivalent. Next, find the difference between each letter and the first letter. Now split the encrypted password by two characters (e.g., EFDE = EF DE) then look up their ASCII equivalent within the ASCII-ENCRYPTED table (see http://www.w00w00.org/imail_map.txt). Take that ASCII value and add the corresponding difference.Look this value up in the ascii table. This table is made by taking the ASCII value of the first character of the account name and setting it equal to 'a'. EXAMPLE Account Name: mike m = 109 i = 105 k = 107 e = 101 Differences: First - First: 0 First - Second: 4 First - Third: 2 First - Fourth: 8 Encrypted Password: DFD8CED0E0 DF = 126 D8 = 119 CE = 109 D0 = 111 E0 = 127 Add Difference: 126 + 0 = 126 119 + 4 = 123 109 + 2 = 111 111 + 8 = 119 127 + 0 = 127 Look up in table (see http://www.w00w00.org/imail_map.txt): 126 = r 123 = o 111 = c 119 = k 127 = s Unencrypted Password: rocks

Trust: 1.26

sources: NVD: CVE-1999-1497 // BID: 880 // VULHUB: VHN-1478

AFFECTED PRODUCTS

vendor:	ipswitch	model:	imail	scope:	eq	version:	6.0	Trust: 1.9
vendor:	ipswitch	model:	imail	scope:	eq	version:	5.0.8	Trust: 1.9
vendor:	ipswitch	model:	imail	scope:	eq	version:	5.0.7	Trust: 1.9
vendor:	ipswitch	model:	imail	scope:	eq	version:	5.0.6	Trust: 1.9
vendor:	ipswitch	model:	imail	scope:	eq	version:	5.0.5	Trust: 1.9
vendor:	ipswitch	model:	imail	scope:	eq	version:	5.0	Trust: 1.9

sources: BID: 880 // CNNVD: CNNVD-199912-063 // NVD: CVE-1999-1497

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-1999-1497
value:	HIGH
Trust: 1.0
CNNVD:	CNNVD-199912-063
value:	HIGH
Trust: 0.6
VULHUB:	VHN-1478
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-1999-1497
severity:	HIGH
baseScore:	7.2
vectorString:	AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	3.9
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
VULHUB:	VHN-1478
severity:	HIGH
baseScore:	7.2
vectorString:	AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	3.9
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: VULHUB: VHN-1478 // CNNVD: CNNVD-199912-063 // NVD: CVE-1999-1497

PROBLEMTYPE DATA

problemtype:

NVD-CWE-Other

Trust: 1.0

sources: NVD: CVE-1999-1497

THREAT TYPE

local

Trust: 0.9

sources: BID: 880 // CNNVD: CNNVD-199912-063

TYPE

Design Error

Trust: 0.9

sources: BID: 880 // CNNVD: CNNVD-199912-063

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-1478

EXTERNAL IDS

db:	NVD	id:	CVE-1999-1497	Trust: 2.0
db:	BID	id:	880	Trust: 2.0
db:	CNNVD	id:	CNNVD-199912-063	Trust: 0.7
db:	BUGTRAQ	id:	19991221 [W00GIVING '99 #11] IMAIL'S PASSWORD ENCRYPTION SCHEME	Trust: 0.6
db:	EXPLOIT-DB	id:	401	Trust: 0.1
db:	EXPLOIT-DB	id:	19683	Trust: 0.1
db:	VULHUB	id:	VHN-1478	Trust: 0.1

sources: VULHUB: VHN-1478 // BID: 880 // CNNVD: CNNVD-199912-063 // NVD: CVE-1999-1497

REFERENCES

url:	http://www.securityfocus.com/bid/880	Trust: 1.7
url:	http://www.securityfocus.com/archive/1/39329	Trust: 1.7
url:	http://www.ipswitch.com/products/imail_server/index.asp	Trust: 0.3

sources: VULHUB: VHN-1478 // BID: 880 // CNNVD: CNNVD-199912-063 // NVD: CVE-1999-1497

CREDITS

Posted to Bugtraq on December 21, 1999 by Matt Conover <shok@cannabis.dataforce.net>.

Trust: 0.9

sources: BID: 880 // CNNVD: CNNVD-199912-063

SOURCES

db:	VULHUB	id:	VHN-1478
db:	BID	id:	880
db:	CNNVD	id:	CNNVD-199912-063
db:	NVD	id:	CVE-1999-1497

LAST UPDATE DATE

2024-08-14T14:01:00.883000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-1478	date:	2008-09-05T00:00:00
db:	BID	id:	880	date:	2009-07-11T01:56:00
db:	CNNVD	id:	CNNVD-199912-063	date:	2007-01-24T00:00:00
db:	NVD	id:	CVE-1999-1497	date:	2008-09-05T20:19:39.990

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-1478	date:	1999-12-21T00:00:00
db:	BID	id:	880	date:	1999-12-19T00:00:00
db:	CNNVD	id:	CNNVD-199912-063	date:	1999-12-21T00:00:00
db:	NVD	id:	CVE-1999-1497	date:	1999-12-21T05:00:00