Netscape Preferences File Issues
11/16/98

This isn't much of an advisory... in fact, the credit goes elsewhere (see below.)  I wrote a short piece of code in relation to this, though, so I wanted to publish that.  Thanks to Holger van Lengerich for the heads-up.

Got this note via Bugtraq:

Hi!

The Netscape Communicator 4.5 stores the crypted version of used
mail-passwords (for imap and pop3) even if you tell Netscape to *not*
"remember password" in the preferences dialog.

Damage:
=======
IMHO this means, that anybody who can read your preferences.js ("prefs.js"
in the MS dominion) is problably able to read your mail or even get your
plaintext-password.

How to reproduce:
=================
- start Communicator
- be sure "remember password" is disabled in the preferences dialog for the
  "Incoming Mail Server".
- get mails from Server (you get asked for your mail-password)
- exit Communicator
- edit preferences.js in $HOME/.netscape (MS-Users: prefs.js in your
  NS-Profile-Path)
    - search for something like:
       --- 8< ---
       user_pref("mail.imap.server.mail.password", "cRYpTPaSswD=");
       user_pref("mail.imap.server.mail.remember_password", false);
       --- >8 ---
   - Now change "false" to "true".
   - Save the file
- Start Communicator
- get mails

... now you are not asked for any password but can read all your mail! :(

Affected:
=========
probably all Communicator-4.5-packages on ALL operating systems.

I was able to reproduce this behavior on:
- Sun Solaris
- Linux (glibc2)
- MS Windows NT.

Workaround:
===========
Don't use Communicator 4.5 to fetch mails from your IMAP/POP server or be
very sure that no one can read your Netscape-preferences-file!!!

Regards,
    Holger van Lengerich, "pine"-user :)

PS: The preferences.js is send to Netscape on Communicator-crash, isn't it?
----------------------------------------------------------------------------
 Holger van Lengerich - University of Paderborn - Dept. of Computer Science
  System-Administration - Warburger Str. 100 - D 33098 Paderborn - Germany
   mailto:gimli@uni-paderborn.de - http://www.uni-paderborn.de/admin/gimli

I did a little investiagting, and found that he was quite correct.  I use Communicator 4.5, and use the POP reader, told it not to remember my password (it prompts each time I launch it) and yet, in my preferences.js file, there's a obscuficated copy of my password.

I got curious about the encoding of the password.  It's obviously trivially reversable if the algorithm is know, because Netscape can do it.  If you've spent any time looking at base-64 encoded text, it was obvious that the password was base-64 encoded.  So, I found a handy PERL module to do encoding/decoding, learned enough PERL to write a bit of code to apply it, and looked at the results.  I got a string back that was not my original password.  I tried it with another password, same results.  I did notice one thing though... both my passwords were 7 characters long, and the resulting strings after the decode were also the same length.

So, on a hunch, I took each hash and XORed it with the original password (REAL easy in PERL.)  I got the same string back, both times.  Aha!

Here's the note I sent back to Bugtraq:

>Does anybody know the algorithm used to encrypt the passwords in
>Communicator??

Apparantly, it takes the plaintext, xors it with a fixed string,
and base64 encodes the result:

use MIME::Base64;
print ((decode_base64('NLyIPunfKw==')) ^ ("\x56" . "\xc9" . "\xef" . "\x4a" . "\x9b" . "\xbe" . "\x5a"));

You need the MIME perl module.

This one is good up to 7 characters, because that's how long a couple of
POP passwords I have are :)

Should be pretty straightforward to extend beyond 7 characters.. just take
the encoded string from the prefs file, base64 decode it, and xor it with
your password in plaintext.  What you'll get is the fixed string to xor
with.. just extend the bytes I have above.  The sequence of bytes is
non-obvious as to the meaning (at least to me.)  It doesn't spell anything
in ASCII.  Let me know if it doesn't work on your passwords.. I'm curious.
I only had a couple to try.

After that I went poking around a few home servers at my day job, to see if anyone had voluntarily chosen to save their password on their unix version of Netscape (we haven't rolled out 4.5 yet.)  I found a couple, and was able to decode their passwords.  I noticed a few other interesting things as well... such as the fact that it's not just POP/IMAP passwords, it's also HTML publishing passwords and NNTP passwords as well.  Plus, as an extra bonus, it creates the preferences.js files on the unix side so that they're world readable.  I also managed to get the root password that one of our sysadmins had used to publish a web page and set it to it to save the password! Doh!  Bad SA!

If you need a version that does more than 7 characters, and you can't figure it out yourself, mail me a copy of your preferences file :)

                                                                                                                            BB
 


Back to the top