COMMAND
Seattle Lab Sendmail
SYSTEMS AFFECTED
SL-Mail ver 3.0.2423 (Win NT)
PROBLEM
Mnemonix found following. During the install you choose whether
the passowrd is set to the account name, "password" or blank.
Which ever is chosen an encrypted password is stored in the
registry under the following key:
HKLM\Software\Seattle Lab\SLMail\Users
By default, the "Everyone" group has the ability to "set value".
Therefore it is possible for "Everyone" to:
a) Create their own account
b) Create their own alias to another account (eg root)
c) Change the passwords on other peoples accounts.
Point C is interesting in the fact that if the password is set to
"NULL" (eg, u;;ac_name.mbx;;) you can still log in with it to
POP3. Strange? If you choose a "blank" password during the
install a password is still created that decrypts to "blank" /
"NULL".
There are also problems with the encryption method used. Below are
some accounts and their password (when "UserID" is used as the
password.)
u;;aaaaaa.mbx; aa aa aa aa 1m Ym Wm Hl Vi Cl Qa hg;
u;;aaaaa.mbx; aa aa aa an 1m Ym Wm Hl Vi Cl Qa 0l;
u;;aaaa.mbx; aa aa am hn 1m Ym Wm Hl Vi Cl Qa vg;
u;;aaa.mbx; aa aa 2m hn 1m Ym Wm Hl Vi Cl Qa ck;
u;;aa.mbx; aa qo 2m hn 1m Ym Wm Hl Vi Cl Qa de;
u;;a.mbx; au zw GO rS ev Ju rv Wt or Tk lb Os;
u;;bbbbbb.mbx; aa aa aa aa 2m bm Zm sl Si Vl Pa 0g;
u;;bbbbb.mbx; aa aa aa Wn 2m bm Zm sl Si Vl Pa 3l;
u;;bbbb.mbx; aa aa am 0n 2m bm Zm sl Si Vl Pa Mg;
u;;bbb.mbx; aa aa 1m 0n 2m bm Zm sl Si Vl Pa bk;
u;;bb.mbx; aa Go 1m 0n 2m bm Zm sl Si Vl Pa We;
u;;b.mbx; au zw GO rS ev Ju rv Wt or Tk lb ys;
u;;"19 c's".mbx; aa aa aa aa aa aa aa aa aa aa a4 7k;
u;;"16 c's".mbx; aa aa aa aa aa aa aa aa aa aa ae Ze;
u;;"15 c's".mbx; aa aa aa aa aa aa aa aa aa aa Oa mj;
u;;"14 c's".mbx; aa aa aa aa aa aa aa aa aa Wl Oa Tc;
u;;"13 c's".mbx; aa aa aa aa aa aa aa aa ai +l Oa +j;
u;;"12 c's".mbx; aa aa aa aa aa aa aa aa Ti +l Oa -c;
u;;"9 c's".mbx; aa aa aa aa aa aa Ym dl Ti +l Oa 6i;
u;;"8 c's".mbx; aa aa aa aa aa qm Ym dl Ti +l Oa 7e;
u;;a.mbx; au zw GO rS ev Ju rv Wt or Tk lb Os;
u;;b.mbx; au zw GO rS ev Ju rv Wt or Tk lb ys;
u;;c.mbx; au zw GO rS ev Ju rv Wt or Tk lb is;
u;;d.mbx; au zw GO rS ev Ju rv Wt or Tk lb 4t;
u;;e.mbx; au zw GO rS ev Ju rv Wt or Tk lb Ot;
u;;f.mbx; au zw GO rS ev Ju rv Wt or Tk lb yt;
u;;g.mbx; au zw GO rS ev Ju rv Wt or Tk lb it;
u;;h.mbx; au zw GO rS ev Ju rv Wt or Tk lb 4q;
u;;i.mbx; au zw GO rS ev Ju rv Wt or Tk lb Oq;
u;;j.mbx; au zw GO rS ev Ju rv Wt or Tk lb yq;
u;;k.mbx; au zw GO rS ev Ju rv Wt or Tk lb iq;
u;;l.mbx; au zw GO rS ev Ju rv Wt or Tk lb 4r;
u;;m.mbx; au zw GO rS ev Ju rv Wt or Tk lb Or;
u;;n.mbx; au zw GO rS ev Ju rv Wt or Tk lb yr;
u;;o.mbx; au zw GO rS ev Ju rv Wt or Tk lb ir;
u;;p.mbx; au zw GO rS ev Ju rv Wt or Tk lb 4w;
u;;q.mbx; au zw GO rS ev Ju rv Wt or Tk lb Ow;
u;;r.mbx; au zw GO rS ev Ju rv Wt or Tk lb yw;
u;;s.mbx; au zw GO rS ev Ju rv Wt or Tk lb iw;
(incidently if the account is one alphanumeric long and "UserID"
is chosen as the password the passwords don't decrypt and login
fails)
Depending on the ACLs set on the winreg key (if present) these
changes could be affected remotely, though in most cases local
access may be needed.
SOLUTION
Admins should set the ACLs on the SLMail subkey if they don't want
this to be an issue and physical security can not be implemented.