Cracking Eudora Mail Client Passwords

Cracking Eudora Mail Passwords Made Easy

Reported December 15, 1997 by QualComm

Systems Affected

Any systems using Eudora for a mail client

Description:

A program called "EUDPASS.COM can reads the Eudora INI file and locate the password entry. Once located, the program runs a symmetric algorithm and decrypts the password back to clear text.

Demonstration Code:

Down the EUDPASS password cracker in ZIP format

QualComm"s Response:

Qualcomm is warning users of its popular Eudora email software not to save their passwords on their computers thanks to readilthe ease with which programs can be designed to decrypt them.

Macintosh computers are similarly vulnerable, according to Qualcomm, but not to the EUDPASS.COM program.

Community Feedback:

Thomas Kindler points out the following, as seen on the Bugtraq mailing list:

It is important to consider the futility of encrypting your Post Office Protocol (Eudora uses the POP protocol to retrieve mail) password when judging Qualcomm. I support the use of strong encryption when any program "remembers" a user"s password but in this case it is a waste of time.

Why? Many people do not realize that the POP protocol exchanges their password over the network UNENCRYPTED each time the mail server is contacted. If I recall correctly the protocol does break the password up so it doesn"t travel across the LAN in a single packet but one could hardly consider that secure. Unless your network is "port switched" or you are using some form of TCP connection encryption anyone with a packet analyzer and access to your LAN can snoop every password used by every POP mail user.

Additionally, if your Eudora INI file, or any other data store used to "remember" passwords (MS Internet Mail uses the registry), isn"t secure neither a "port switched" network nor TCP connection encryption will protect you. Anyone can decrypt your password in five easy steps.

1 Install the associated mail application for example Eudora with POP server configured as localhost
2 Copy the password entry from the target user"s INI file (or registry key in the case of Internet Mail)
3 Start a program designed to accept incoming TCP connections on the POP port
4 Start the mail application and acquire mail
5 When the TCP connection is established send "+OK" twice from the incoming TCP connection program and the password will be returned UNENCRYPTED

When I forgot my password a while back and was able to accomplish this scenario (including writing a program to accept incoming TCP connections) in a few hours. I realize that some changes in the encryption algorithm could be made to make this more difficult but generally the encryption of something that will be exchanged publicly in clear text is futile.

To learn more about new NT security concerns, subscribe to NTSD.

Credit:
Reported by: QualComm
Posted here at NTSecurity.Net February 15, 1997

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish