From: "Shalom Carmel" <shalom@venera.com.>
To: "bugtraq" <bugtraq@securityfocus.com.>
Subject: Enumeration of AS/400 users and their status via POP3
Date: Fri, 15 Apr 2005 02:11:36 +0300
MIME-Version: 1.0
Content-Type: text/plain;
charset="windows-1255"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1478
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1478
X-Virus-Scanned: antivirus-gw at tyumen.ru
Enumeration of AS/400 users and their status via POP3
Overview
------------
The POP3 service is installed on all modern AS/400
and iSeries servers, and is turned on by default,
even in cases when email serving was not set up.
To access a POP3 server, you must authenticate and
provide a user and a password. Unfortunately,
the POP3 users represent real AS/400 user profiles,
POP3 will authenticate any valid user profile,
and the service provides too much information during
authentication.
The status messages POP3 displays are:
No user found
Good user, password not correct for user profile
Good user, bur user profile is disabled
Good user, but password for user profile has expired
Good user, but no password associated with user profile
Good password, good user
The unsuccessful attempts are logged only in the security
audit log, and only if the audit log is turned on.
There is no security exit program protecting the POP3 server.
A phonebook attack can probably enumerate most of the users,
giving the attacker a vector for a social engineering session.
For full details please read the article found at
http://www.venera.com/downloads.htm
