lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Sat, 15 Mar 2003 20:13:43 +0100
From: Dennis Lubert <plasmahh@...ormatik.uni-bremen.de>
To: bugtraq@...urityfocus.com
Subject: qpopper timing analysis on to determine if a username exists
  on a system

Hello,

during development of a pop3 tool I found an issue that makes it possible 
for any user to check the validity of a user on a target system. If a user 
is valid and an invalid password has been supplied, then the system waits 
~10 seconds until it sends a disconnect message and disconnect. If the 
username was not correct, then it disconnect immediately after the wrong 
password.

This makes it possible to scan a server for valid users, to generate spam 
sending lists, or to check a username for another kind of attack.

Tested against qpopper 3.1 and 4.0.4, others might be affected as well.

Attached is the source code for a program that will do a simple check on a 
pop3 server. Additionally qpopper will also return an answer if the 
username supplied has a UID < 100 (< 10 for 3.1), which will also been checked.

The fix should be simple, there must be a usleep() call or similar that 
should either be deleted, or added also to the part where the username was 
not correct.

greets

Dennis 
View attachment "poptest.cpp" of type "text/plain" (3146 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ