lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 4 May 2005 21:27:59 +0200
From: Markus W├Ârle <mrks@...s.de>
To: bugtraq@...urityfocus.com
Subject: Mac OS 10.4: new-account-wizzard in Mail 2.0 sends clear-text passwords


Hello there!

I reported this bug at 01-May-2005 09:21 PM CEST to Apples bug- 
reporting facility (Problem ID: 4104391) without reply yet.

Summary:
At its first use, Mail.app 2.0 will launch a new-account-wizzard that  
leads through the account-creation process. This wizzard asks for a  
name, a loginname, a password and then tries to validate these  
informations by loging in. In case ones ISP offers an IMAP server  
with normal IMAP (port 143) and IMAP over SSL (port 933) the wizzard  
uses the insecure IMAP to login and validate the settings. This  
happens _before_ it asks whether to use SSL or not. In this case, the  
only chance not to scream out a password while creating the first  
account  is to use a wrong password or to disconnect from the internet.

Steps to Reproduce:
0. Make sure your email ISP provides IMAP and IMAP over SSL.
1. Launch Mail.app 2.0 the first time or use "File - Add Account..."
2. Create a new account, choose:
     Account Type: IMAP
     some account description
     your full name
     your email address
3. click "Continue"
4. Fill in:
     your incoming mail server
     your username
     your password
5. Launch some packet sniffing utillity (e.g. tcpdump, ngrep or  
something similar) to watch your inet device (especially ip port 143).
6. click "Continue". Mail.app will now validate your settings by  
logging in. It will use your IMAP without SSL by default and send  
your password clear-text through the net. Watch your packet sniffer.
7. On the next page you'll get asked whether to use SSL or not, but  
thats probably too late.

Expected Results:
The wizard should try to open a socket but don't log in, or ask  
whether to use SSL or not _before_ validating the account settings

Actual Results:
It opens a socket and logs in without giving the user the chance to  
activate SSL.

Notes:
* haven't tried this with POP and POPs
* maybe similar problems with SMTP-Auth if the SMTP server supports  
STARTTLS, but only AUTH PLAIN (and no AUTH CRAM-MD5) SASL authentication

Ciao!
mrks



Powered by blists - more mailing lists