lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 17 Mar 2003 16:09:02 +0200
From: Waldo Nell <pwnell@...rica.com>
To: bugtraq@...urityfocus.com
Subject: Re: qpopper timing analysis on to determine if a username exists  on a system


Hi,

I have tested this on my qpopper 4.0.5 - and I get this response no matter 
from which host I test (even localhost):

sun waldo # ./poptest mail.XXX.net gert
Validating username gert , please stand by..
Disconnected after 119.993 seconds.
User "gert" is probably a valid user

But that user is not a valid user. I have APOP authentication on and required, 
thus the pop server responded with

You must use TLS/SSL or stronger authentication such as APOP to connect to 
this server

Maybe this is a temporary solution? Or maybe the issue was fixed in 4.0.5?

Regards,
- Waldo

On Saturday 15 March 2003 21:13, Dennis Lubert wrote:
> Hello,
>
> during development of a pop3 tool I found an issue that makes it possible
> for any user to check the validity of a user on a target system. If a user
> is valid and an invalid password has been supplied, then the system waits
> ~10 seconds until it sends a disconnect message and disconnect. If the
> username was not correct, then it disconnect immediately after the wrong
> password.
>
> This makes it possible to scan a server for valid users, to generate spam
> sending lists, or to check a username for another kind of attack.
>
> Tested against qpopper 3.1 and 4.0.4, others might be affected as well.
>
> Attached is the source code for a program that will do a simple check on a
> pop3 server. Additionally qpopper will also return an answer if the
> username supplied has a UID < 100 (< 10 for 3.1), which will also been
> checked.
>
> The fix should be simple, there must be a usleep() call or similar that
> should either be deleted, or added also to the part where the username was
> not correct.
>
> greets
>
> Dennis



Powered by blists - more mailing lists