SmartServer3 (SS3) is a small business email server from NetCPlus. It is installed by default in C:\Program Files\smartserver3\ , and in this folder it stores a configuration file called 'dialsrv.ini'. This file is accessible to all local users and contains entries for every user that include their encrypted password, where the encryption algorithm is extremely weak and can be easily broken.
The password encryption scheme is weak. The encryption of the password depends only on the password entered and on the first letter of the POP userID which is given in the entry "dir=CARL". The attached source code decrypts a password of up to 8 characters in length (for shorter passwords, ignore the extra characters). If you need to decrypt a password longer than 8 characters, run the program twice and enter the characters after 8 as a new series (9 would be 1, 10 would be 2, etc). Don't forget to enter the first letter of the username into the program as well.
Though it has some other strange properties, the scheme works by adding a position-specific value to each character of the password. Any character that is the same as the first character of the username has a default encryption. For instance, the user BOB with the password 'Book' will have the same encrypted character for the first letter of his password as the user CARL with the password 'Catfish'. Look at the exploit code for more details.
A legitimate administrator can see any users password after logging into the SS3 console by editing a user and unchecking the 'hide password' box.
