COMMAND

    IMail

SYSTEMS AFFECTED

    Win systems running IMail

PROBLEM

    Steven  Alexander  found  following.    The  user  passwords   for
    Ipswitch's IMail  server are  stored in  encrypted(sorta) form  in
    the Windows NT registry:

        HKEY_LOCAL_MACHINE\SOFTWARE\Ipswitch\IMail\Domains\yourdomain\users\

    The scheme used to protect the password seems to only be  intended
    to deter  the curious  user.   IMail adds  the value  of the first
    character of the username with the value of the first character of
    the password.   It then puts  the sum of  the two in  hex into the
    registry.  It  then repeats this  with the second  letters of both
    the username and the password.  If the password is longer than the
    username, the username is repeated.  Example:

        username:                      test
        encrypted-password:    BD D4 EA E2 ED D4 E8
        the hex values of the username are: 74 65 73 74

        hence:

        BD     D4    EA     E2    ED    D4     E8
        -74    -65   -73    -74   -74   -65    -73

      =  49     6F    77     6E    79    6F     75
      = Iownyou

    If someone has  access to the  mail server and  is able to  access
    the registry (which users are able depends on your  configuration)
    all of the IMail passwords can  be recovered.  This could also  be
    used to build a dictionary for tools such as L0pht Crack and/or to
    compromise Administrator accounts.

SOLUTION

    Nothing yet.