<<< Date Index >>>     <<< Thread Index >>>

Re: APOP vulnerability



Dear Gaëtan LEURENT,

--Monday, April 2, 2007, 7:13:28 PM, you wrote to bugtraq@xxxxxxxxxxxxxxxxx:

GL> CVE-Id:

GL>   CVE-2007-1558

GL> Short description:
  
GL>   Security vulnerability in the APOP protocol, related to recent
GL>   collision attacks by Wang and al. against MD5.  Using the man in the
GL>   middle setting, one can recover the first characters of the password
GL>   with a few hundred authentications from the client.

<skip>

GL>   This attack is really a practical one: it needs about an hour of
GL>   computation and a few hundred authentications from the client, and can
GL>   recover three password characters (brute-forcing 5 characters is a
GL>   matter of hours).  I tested it against Thunderbird, Evolution, mutt,
GL>   and fetchmail, and it does work.

While  it's  really  a  weakness in APOP protocol, I don't share opinion
this attack is practical, because there are few factors:

First,  it  requires  stable  _active_ Man-in-the-middle attack, that is
ability  to  spoof  replies  from  and  to  server. Under this condition
attacker  can  do  a  lot of harm without APOP, e.g. inject malware into
content  of  trusted  web page or even attempt to spoof certificates for
encrypted  protocols. Additionally, under these conditions (challenge is
choosen  by  attacker)  rainbow  tables  can be used against APOP. Using
rainbow tables seems more practical for 8-character password.

Second,  under  these  conditions  attacker  already  has  access to the
mailbox content. After session is authenticated, attacker can inject any
commands  and  retrieve  any  message, even if it's not requested by the
client.  Cleartext  password  gives  no  additional  information for the
attacker,  unless  the same password is used for something else. In case
of  APOP  it's  not  likely  same  password  is used for something else,
because this authentication is 1. only used in POP3 and, 2. unlike CRAM-
and  DIGEST-  authentications, server must store cleartext or reversable
password.

Third,  during this attack client can not authenticate with a server. In
case  of  active  MitM,  attacker  can hide this fact from the client by
making  false  positive  response showing an empty mailbox. Depending on
mailbox  usage,  it  may  be  detected  by  the client that messages are
delayed, even if you allow 50% of authentications to pass.

-- 
~/ZARAZA http://securityvulns.com/