[20951] in bugtraq
Re: Network Solutions Crypt-PW Authentication-Scheme vulnerability
daemon@ATHENA.MIT.EDU (Tyler Walden)
Sun Jun 10 19:37:49 2001
Date: Fri, 8 Jun 2001 16:27:36 -0700 (PDT)
From: Tyler Walden <twalden@aa.net>
To: aleph1@securityfocus.com
Cc: bugtraq@securityfocus.com
In-Reply-To: <20010608113441.L27784@securityfocus.com>
Message-ID: <Pine.LNX.3.96.1010608162241.26162A-100000@big.aa.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
For those interested here is perl program to generate Crypt-PW's with a
propper salt.
#!/usr/bin/perl
$salt=salt();
print "password encryptee, [CTRL]-D quits.\n";
while (<STDIN>) {
chop;
$text=crypt($_,$salt);
print $text."\n";
}
sub salt {
local($salt);
local($i, $rand);
local(@itoa64) = ( 0 .. 9, a .. z, A .. Z ); # 0 .. 63 # to64
for ($i = 0; $i < 8; $i++) {
srand(time + $rand + $$);
$rand = rand(25*29*17 + $rand);
$salt .= $itoa64[$rand & $#itoa64];
}
return $salt;
}
Tyler Walden - twalden@aa.net
Alternate Access http://www.aa.net
Network Operations - noc@aa.net
On Fri, 8 Jun 2001 aleph1@securityfocus.com wrote:
> This is a very old problem. See
> http://www.securityfocus.com/archive/1/5494 (1996)
> http://www.securityfocus.com/archive/1/34191 (1999)
>
> NSI obviously does not care much about the security. I haven't been
> able to get PGP authentication working in months.
> --
> Elias Levy
> SecurityFocus.com
> http://www.securityfocus.com/
> Si vis pacem, para bellum
>
