COMMAND

	Pegasus Mail

SYSTEMS AFFECTED

    Those using Pegasus Mail (all)

PROBLEM

    'galldor' posted following.  Even this affects all versions,  this
    was wrote about the V2  encryption on 3.0+.  Versions  tested were
    V1 and V2 of  the password.  There  is Weak Encryption on  Pegasus
    Mail which allows users to read pop3 passwords.  'gallador'  found
    extreamly weak encryption in the Pegasus Mail Client.  This can be
    cracked  with  ease  which  means  any  user could find out othere
    peoples POP3 Passwords.

    The POP3 Passwords are kept in the

        \mail\USER\pmail.ini

    so

        c:\pmail\mail\g00f\pmail.ini

    would give  the user  g00f's configuration  file.   The file looks
    something like this:

        [Pegasus Mail for Windows - built-in TCP/IP Mail]
        Host where POP3 mail account is located   = g00fey.com
        POP3 mail account (username on host)      = g00f
        V2 Password for POP3 mail account         = $moL
        Delete downloaded mail from host          = Y
        Largest message size to retrieve          = 0
        Directory to place incoming POP3 mail     = C:\PMAIL\MAIL\g00f
        Transport control word                    = 66308
        SMTP relay host for outgoing mail         = g00fey.com
        Search mask to locate outgoing messages   = C:\PMAIL\MAIL\g00f\*.PMX
        Alternative From: field for message       = galldor@microhack.com

    As this text file is world read/writable a user could easley  edit
    the file so messages go to a new directory or choose not to delete
    pop3 mail from host.  But the main problem is the weak  encryption
    on the  V2 Password.   This is  a very  simple algerithum.   It is
    encrypted as follows.   The letter itself.   The placement of  the
    letter in the  password.  V2  encrypts so that  there is the  same
    amount of letters/numbers as in the pass.

    Cracking  It?   We  won't  go  into  that  much detail as it is so
    simple, if someone  could be bothered  they could write  a small C
    program to do this.

    First  you  have  to  Ignore  the  $  completely.  The letters and
    Numbers after the  $ are the  encrypted values of  the password so
    anything after the $ is also  the size of the password.   Here are
    a few examples of how to crack it and how the encryption works.

        a = $m  # Just testing....
        aa = $mo
        aaa = $moL

        b = $R
        bb = $R?
        bbb = £R?8

    As  you  can  see  the  weak  encryption is already showing as the
    encryption dosn't  even encrypt  by the  number of  letters.   The
    Encryption works like this:

        1st Letter placement of a = m
        2nd Letter placement of a = o
        3rd Letter placement of a = L

    So to find aab it would be as followed:

        aab = 1st a + 2nd a + 3rd b (which) = mo8

    so in the ini the pass will be $mo8

        abb = 1st a + 2nd b + 3rd b = $m?8

    So you could now find out:

        bab = $Ro8

    As  pegasus  is  a  popular  mail  client on Windows Networks this
    could mean  a compromise  of security  as most  pop3 passwords are
    the same  as the  telnet/ssh etc.   Older versions  of pegasus use
    the same kind of encryption it  is set out the same but  just uses
    differnet numbers and letters to encrypt.

SOLUTION

    Notging yet.