[20947] in bugtraq
Re: Network Solutions Crypt-PW Authentication-Scheme vulnerability
daemon@ATHENA.MIT.EDU (Peter W)
Sun Jun 10 18:38:19 2001
Date: Fri, 8 Jun 2001 16:06:02 -0400
From: Peter W <peterw@usa.net>
To: Peter Ajamian <peter@pajamian.dhs.org>
Cc: bugtraq@securityfocus.com
Message-ID: <20010608160602.C4208@usa.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <3B2080BE.59D691D8@pajamian.dhs.org>; from peter@pajamian.dhs.org on Fri, Jun 08, 2001 at 12:37:34AM -0700
On Fri, Jun 08, 2001 at 12:37:34AM -0700, Peter Ajamian wrote:
> While crypt password authentication is not in and of itself very secure,
> Network Sulotions have made it even less so by including the first two
> characters of the password as the salt of the encrypted form. While the
> password is transmitted via a secure session, the encrypted form is
> returned almost immediately in a non-encrypted www session. Also, this
> password is typically emailed back and forth to the user no less than two
> times (and often times more). This allows several opportunities for
> someone to observe the encrypted password, this in and of itself is not
> good.
Plus when you submit a change request template, your email contains the
plaintext password. :-(
And that's the problem: not the crypt routine, but the cleartext data xfer.
> Possible Workarounds:
>
> Do not use the Crypt-PW authentication-scheme. Instead use the MAIL_FROM
> or PGP scheme instead.
If someone attempts to make changes to a domain with a Network Solutions
old-style[0] admin or billing handle, Network Solutions will email the
responsible handle's address. With MAIL_FROM, the email address is availble
via a whois query. Easily obtained, easily spoofed, and if you get cracked,
you have to get NetSol involved to clean up. *Do NOT use mail_from!!!*
You're in just as much trouble if someone gets your encrypted NetSol
CRYPT-PW password. But, unlike the email address, the encrypted password is
not readiliy available. An attacker without the encrypted password can only
attempt to guess the password. And the attacker must send a change request
to test their guess. And you get emailed each time they try. The only
effective way to crack a CRYPT-PW handle is to sniff the email channel [so
the Echelon folks probably know all our NetSol CRYPT-PW passwords ;-)].
Which gets us to footnote [0]: for many months, Network Solutions has been
using a fully Web-based system for domain/handle maintenance.
So to the extext you're concerned about CRYPT_PW, I'd suggest two viable
alternatives: change the authentication method to PGP (very easy), or create
new NIC handles for the Web-based management system and transfer your
domains' contact handles to the Web-based handles. Those with many domains
will likely find the Web-based interface annoying, especially for batch
updates.
But for goodness' sake, do *not* use MAIL_FROM !!!
-Peter
> If you must use CRYPT-PW then the following suggestions are recommended:
Changing your password means sending the cleartext value to NetSol via
email. So changing your password involves risk. :-(
