Computer Security
[EN] no-pyccku

Related information

  Декодирование паролей в Sambar (password decoding)

From:3APA3A <3APA3A_(at)>
Subject:SECURITY.NNOV: Sambar Server all versions password decoding


Topic:                    Sambar Server all versions password
Author:                   3APA3A <[email protected]>
SECURITY.NNOV advisories:
Vulnerable:               All Sambar versions up to 5.0 beta
Impact:                   passwords  can be decoded back to
Vendor URL:     
Released:                 24 July 2001
Credits:                  [email protected], [email protected]


Sambar  is  widely  used  Web/Proxy/Mail  server for Windows
(there  are  both free and commercial "Pro" versions).


Sambar  documentation  states  there  is  no  way  to repair
forgotten password. It's not true, because by default server
uses  blowfish  with  statically compiled key to encrypt all
password.  Blowfish  uses  symmetric  key, it means with the
same  key passwords can be easily decrypted. I don't believe
authors  didn't  knew  that  because  they  coded decryption
function  too.  Sambar  authors are aware about this problem
(in  fact  it's  known  since  at  least  1999  according to
[email protected]  page - in
Russian).   I  wonder  why  authors  do  not  document  this


I  was  too  lazy  to  discover  blowfish key. I didn't even
checked is it blowfish or DES (in fact I didn't even started
debugger.  I  did  everything  in text editor :)). Instead I
wrote  small  program  which  "cracks"  sacrypt.exe  to load
decryption  function  of  blowfish instead of encryption one
from DLL by changing string argument of GetProcAddress().
For more details see sadecrypt.c


--(quoting "Sambar Server Support" <[email protected]>)

Many thanks.  Several folks have pointed out this
vulnerability recently.  I used the two-way encryption
algorithm intentionally to allow the password to be
viewed/modified.  I have the option (config.ini) of
substituting UNIX crypt() for the two way hash I use
(blowfish) and will recommend folks switch to that.

appreciate it.
--(quoting "Sambar Server Support" <[email protected]>)--

       { . . }     |\
+--oQQo->{ ^ }<-----+ \
|  3APA3A  U  3APA3A   }
+-------------o66o--+ /
You know my name - look up my number (The Beatles)

About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod