APOP vulnerability Apr 02 2007 03:13PM
gaetan leurent ens fr (GaŽtan LEURENT) (1 replies)
Re: APOP vulnerability Apr 03 2007 08:22AM
3APA3A (3APA3A SECURITY NNOV RU) (1 replies)
Dear Gaëtan LEURENT,

--Monday, April 2, 2007, 7:13:28 PM, you wrote to bugtraq (at) securityfocus (dot) com [email concealed]:


GL> CVE-2007-1558

GL> Short description:

GL> Security vulnerability in the APOP protocol, related to recent
GL> collision attacks by Wang and al. against MD5. Using the man in the
GL> middle setting, one can recover the first characters of the password
GL> with a few hundred authentications from the client.


GL> This attack is really a practical one: it needs about an hour of
GL> computation and a few hundred authentications from the client, and can
GL> recover three password characters (brute-forcing 5 characters is a
GL> matter of hours). I tested it against Thunderbird, Evolution, mutt,
GL> and fetchmail, and it does work.

While it's really a weakness in APOP protocol, I don't share opinion
this attack is practical, because there are few factors:

First, it requires stable _active_ Man-in-the-middle attack, that is
ability to spoof replies from and to server. Under this condition
attacker can do a lot of harm without APOP, e.g. inject malware into
content of trusted web page or even attempt to spoof certificates for
encrypted protocols. Additionally, under these conditions (challenge is
choosen by attacker) rainbow tables can be used against APOP. Using
rainbow tables seems more practical for 8-character password.

Second, under these conditions attacker already has access to the
mailbox content. After session is authenticated, attacker can inject any
commands and retrieve any message, even if it's not requested by the
client. Cleartext password gives no additional information for the
attacker, unless the same password is used for something else. In case
of APOP it's not likely same password is used for something else,
because this authentication is 1. only used in POP3 and, 2. unlike CRAM-
and DIGEST- authentications, server must store cleartext or reversable

Third, during this attack client can not authenticate with a server. In
case of active MitM, attacker can hide this fact from the client by
making false positive response showing an empty mailbox. Depending on
mailbox usage, it may be detected by the client that messages are
delayed, even if you allow 50% of authentications to pass.

~/ZARAZA http://securityvulns.com/

[ reply ]
Re: APOP vulnerability Apr 03 2007 04:18PM
gaetan leurent ens fr (Gaëtan LEURENT) (1 replies)
Re[2]: APOP vulnerability Apr 03 2007 04:50PM


Privacy Statement
Copyright 2010, SecurityFocus