[VulnWatch] RE: Trillian weakly encrypts saved passwords
From: Brenna Primrose (drxlecter@phreaker.net)Date: 09/09/02
- Previous message: Rapid 7 Security Advisories: "[VulnWatch] Rapid 7 Advisory R7-0005: ZMerge Insecure Default ACLs"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Brenna Primrose" <drxlecter@phreaker.net> To: "'Evan Nemerson'" <enemerson@coeus-group.com>, <bugtraq@securityfocus.com>, <vulnwatch@vulnwatch.org>, <submissions@packetstormsecurity.org>, <news@securiteam.com> Date: Mon, 9 Sep 2002 13:26:42 -0500
This bug has been known for at least a few months. Nothing new here...
http://lists.insecure.org/vuln-dev/2002/Jun/0060.html
http://profiles.yahoo.com/absolut_contagion
http://gsa.creighton.edu
AIM - absolutxpsycho
Yahoo! - absolut_contagion
ICQ - 1363187
MSN - r00t@creighton.edu
-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GSS d-- s: a-- C++ UL++++ P+ L+ E W++ N+ o-- K- w+
O-- M V-- PS++ PE Y+ PGP- t-- 5-- X++ R- tv+ b+++ DI D+
G e* h- r++ x+
------END GEEK CODE BLOCK------
-----Original Message-----
From: Evan Nemerson [mailto:enemerson@coeus-group.com]
Sent: Monday, September 09, 2002 4:20 AM
To: bugtraq@securityfocus.com; vulnwatch@vulnwatch.org;
submissions@packetstormsecurity.org; news@securiteam.com
Subject: Trillian weakly encrypts saved passwords
Software:
Trillian 0.73, possibly other versions.
Issue:
Weak "encryption" of saved passwords.
Impact:
Decryption of saved passwords.
Vendor notified:
3 Sept., 2002. No response.
Severity:
Medium. ish. The program only works locally, and only if the subject
has saved their password, and really if someone can get into your AIM
account, how earth-shattering is that??? However, since a lot of people
use
the same password for everything...
---------------------
Trillian is, according to trillian.cc, "...everything you need for
instant
messaging. Connect to ICQR, AOL Instant Messenger(SM), MSN Messenger,
Yahoo!
Messenger and IRC in a single, sleek and slim interface."
Upon examination of the Trillian directory (which defaults to C:\Program
Files\Trillian\ ), it appears that passwords are stored in ini files
that are
located in {Path to Trillian}\users\{WindowsLogon}. The passwords are
encrypted using a simple XOR with a key apparently uniform throughout
every
installation.
The attached program takes, as command line argument(s), path(s) to
these INI
files. It will then display a list of usernames, "encrypted" passwords,
and
plaintext passwords.
Evan Nemerson
enemerson@coeus-group.com
http://www.coeus-group.com
- Previous message: Rapid 7 Security Advisories: "[VulnWatch] Rapid 7 Advisory R7-0005: ZMerge Insecure Default ACLs"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
