Re: Trillian weakly encrypts saved passwords
From: jelmer (jkuperus@xs4all.nl)Date: 09/09/02
- Previous message: Mandrake Linux Security Team: "MDKSA-2002:057 - krb5 update"
- In reply to: Evan Nemerson: "Trillian weakly encrypts saved passwords"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "jelmer" <jkuperus@xs4all.nl> To: "Evan Nemerson" <enemerson@coeus-group.com>, <bugtraq@securityfocus.com>, <vulnwatch@vulnwatch.org>, <submissions@packetstormsecurity.org>, <news@securiteam.com> Date: Mon, 9 Sep 2002 23:34:35 +0200
Not really relavant as even when it would be encrypted with MD5 or whatever
one could just copy and use the ini file your own pc.
A bigger problem imho is that the location is known and the content is
textual, with all the recent local file reading exploits in msie this is
nasty, I was already sent sample code for this a couple of weeks ago after i
posted the xmldso thingie
-- jelmer----- Original Message ----- From: "Evan Nemerson" <enemerson@coeus-group.com> To: <bugtraq@securityfocus.com>; <vulnwatch@vulnwatch.org>; <submissions@packetstormsecurity.org>; <news@securiteam.com> Sent: Monday, September 09, 2002 11:20 AM Subject: Trillian weakly encrypts saved passwords
> Software: > Trillian 0.73, possibly other versions. > > Issue: > Weak "encryption" of saved passwords. > > Impact: > Decryption of saved passwords. > > Vendor notified: > 3 Sept., 2002. No response. > > Severity: > Medium. ish. The program only works locally, and only if the subject > has saved their password, and really if someone can get into your AIM > account, how earth-shattering is that??? However, since a lot of people use > the same password for everything... > > --------------------- > > Trillian is, according to trillian.cc, "...everything you need for instant > messaging. Connect to ICQ®, AOL Instant Messenger(SM), MSN Messenger, Yahoo! > Messenger and IRC in a single, sleek and slim interface." > > Upon examination of the Trillian directory (which defaults to C:\Program > Files\Trillian\ ), it appears that passwords are stored in ini files that are > located in {Path to Trillian}\users\{WindowsLogon}. The passwords are > encrypted using a simple XOR with a key apparently uniform throughout every > installation. > > The attached program takes, as command line argument(s), path(s) to these INI > files. It will then display a list of usernames, "encrypted" passwords, and > plaintext passwords. > > > Evan Nemerson > enemerson@coeus-group.com > http://www.coeus-group.com > > > >
- Previous message: Mandrake Linux Security Team: "MDKSA-2002:057 - krb5 update"
- In reply to: Evan Nemerson: "Trillian weakly encrypts saved passwords"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
