[26960] in bugtraq
RE: Trillian weakly encrypts saved passwords
daemon@ATHENA.MIT.EDU (Brenna Primrose)
Mon Sep 9 16:03:15 2002
From: "Brenna Primrose" <drxlecter@phreaker.net>
To: "'Evan Nemerson'" <enemerson@coeus-group.com>, <bugtraq@securityfocus.com>,
<vulnwatch@vulnwatch.org>, <submissions@packetstormsecurity.org>,
<news@securiteam.com>
Date: Mon, 9 Sep 2002 13:26:42 -0500
Message-ID: <003201c2582e$ea567630$6801a8c0@chouse.creighton.edu>
MIME-Version: 1.0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
In-Reply-To: <200209090140.22119.enemerson@coeus-group.com>
This bug has been known for at least a few months. Nothing new here...
http://lists.insecure.org/vuln-dev/2002/Jun/0060.html
http://profiles.yahoo.com/absolut_contagion
http://gsa.creighton.edu
AIM - absolutxpsycho
Yahoo! - absolut_contagion
ICQ - 1363187
MSN - r00t@creighton.edu
-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GSS d-- s: a-- C++ UL++++ P+ L+ E W++ N+ o-- K- w+
O-- M V-- PS++ PE Y+ PGP- t-- 5-- X++ R- tv+ b+++ DI D+
G e* h- r++ x+
------END GEEK CODE BLOCK------
-----Original Message-----
From: Evan Nemerson [mailto:enemerson@coeus-group.com]
Sent: Monday, September 09, 2002 4:20 AM
To: bugtraq@securityfocus.com; vulnwatch@vulnwatch.org;
submissions@packetstormsecurity.org; news@securiteam.com
Subject: Trillian weakly encrypts saved passwords
Software:
Trillian 0.73, possibly other versions.
Issue:
Weak "encryption" of saved passwords.
Impact:
Decryption of saved passwords.
Vendor notified:
3 Sept., 2002. No response.
Severity:
Medium. ish. The program only works locally, and only if the subject
has saved their password, and really if someone can get into your AIM
account, how earth-shattering is that??? However, since a lot of people
use
the same password for everything...
---------------------
Trillian is, according to trillian.cc, "...everything you need for
instant
messaging. Connect to ICQR, AOL Instant Messenger(SM), MSN Messenger,
Yahoo!
Messenger and IRC in a single, sleek and slim interface."
Upon examination of the Trillian directory (which defaults to C:\Program
Files\Trillian\ ), it appears that passwords are stored in ini files
that are
located in {Path to Trillian}\users\{WindowsLogon}. The passwords are
encrypted using a simple XOR with a key apparently uniform throughout
every
installation.
The attached program takes, as command line argument(s), path(s) to
these INI
files. It will then display a list of usernames, "encrypted" passwords,
and
plaintext passwords.
Evan Nemerson
enemerson@coeus-group.com
http://www.coeus-group.com
