lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Fri Oct 14 14:01:27 2005
From: mmadison at fnni.com (Madison, Marc)
Subject: Mozilla Thunderbird SMTP down-negotiation
	weakness

When will Mozilla get it right?  There products seems to be riddle with
encryption problems?  My suggestion; hire someone that knows how to
implement encryption CORRECTLY.  

-----Original Message-----
From: full-disclosure-bounces@...ts.grok.org.uk
[mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of Thomas
Henlich
Sent: Friday, October 14, 2005 7:21 AM
To: full-disclosure@...ts.grok.org.uk
Subject: [Full-disclosure] Mozilla Thunderbird SMTP down-negotiation
weakness

MOZILLA THUNDERBIRD SMTP DOWN-NEGOTIATION WEAKNESS

Thomas Henlich <thomas@...lich.de>

SUMMARY

Mozilla Thunderbird SMTP down-negotiation behaviour allows a man-
in-the-middle (MITM) attack to bypass TLS initialization and/or
downgrade CRAM-MD5 to PLAIN authentication, leading to exposure of
authentication information. Failure in CRAM-MD5 authentication also
leads to exposure of authentication information to a passive
eavesdropper.

BACKGROUND

Mozilla Thunderbird is a mail user agent with support for SMTP PLAIN and
CRAM-MD5 authentication and for secure SMTP over TLS.

CRAM-MD5 is a method for secure user authentication which avoids
plaintext transmission of sensitive information (account/ password). TLS
is a security protocol to protect transmitted data against
eavesdropping.

AFFECTED VERSIONS

- Mozilla Thunderbird 1.0.7 (20050923)
- Mozilla Thunderbird 1.5 Beta 2 (20051006)
- possibly other programs using the Mozilla mail component

DESCRIPTION

The SMTP negotiation in Mozilla Thunderbird is implemented in a way that
if a secure data exchange (CRAM-MD5 or STARTTLS) between client and
server can not be established, an insecure method is used instead. The
user is not notified of this and can not cancel this insecure data
exchange. An intermediate attacker can utilize this behaviour to gain
sensitive account/password information. As
CRAM-MD5 and TLS were designed to avoid eavesdropping attacks, currently
the implementation of Mozilla's SMTP client fails to meet these design
goals. Several methods of attack are possible:

A1. Passive eavesdropping attack on CRAM-MD5 authentication failure

Scenario

- Client (C) Mozilla Thunderbird
- SMTP server (S) which supports and advertises PLAIN and CRAM-
  MD5 authentication
- Attacker A1 who can read network traffic from C to S

Sequence of attack

- User accidentally mistypes password (e.g. "secrez" instead
  "secret").
- C tries CRAM-MD5 authentication which fails.
- C retries with PLAIN authentication.
- A1 can guess the correct password from sniffed connection.

A2. One-way active MITM attack on CRAM-MD5 capability advertisement

Scenario

- Client (C) Mozilla Thunderbird
- SMTP server (S) which supports and advertises PLAIN and CRAM-
  MD5 authentication.
- Attacker A2 who can read network traffic from C to S and modify
  network traffic from S to C

Sequence of attack

- S sends EHLO response.
- A2 discards S's SMTP authentication advertisement and sends
  "AUTH PLAIN" advertisement to C.
- C connects with PLAIN authentication.
- A2 can read cleartext password.

A3. One-way active MITM attack on CRAM-MD5 authentication attempt

Scenario

- Client (C) Mozilla Thunderbird
- SMTP server (S) which supports and advertises PLAIN and CRAM-
  MD5 authentication.
- Attacker A3 who can read and modify network traffic from C to S

Sequence of attack

- S sends CRAM-MD5 challenge to C.
- C sends authentication, but A3 transmits a different (random)
  response causing authentication to fail.
- C reauthenticates with PLAIN authentication.
- A3 can read cleartext password.

A4. One-way active MITM attack on STARTTLS capability advertisement

Scenario

- Client (C) Mozilla Thunderbird
- SMTP server which supports and advertises STARTTLS
- Attacker A4 who can read network traffic from C to S and modify
  network traffic from S to C

Sequence of attack

- S sends EHLO response with STARTTLS advertisement.
- A4 discards S's STARTTLS advertisement.
- PLAIN authentication takes place.
- A4 can read cleartext password.

RESOLUTION

For A1-A3 no resolution is known. For A4, set user preference to enforce
TLS.

PROOF OF CONCEPT

A TCP proxy application demonstrating these weaknesses is available from
http://www.henlich.de/moz-smtp/stcppipe-x.zip

TIMELINE

- 2005-10-08: Opened Bugzilla Bug 311657
- 2005-10-11: Reported to security@...illa.org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ