Re[2]: APOP vulnerability

To: gaetan.leurent@xxxxxx (Gaëtan LEURENT )
Subject: Re[2]: APOP vulnerability
From: 3APA3A <3APA3A@xxxxxxxxxxxxxxxx>
Date: Tue, 3 Apr 2007 20:50:15 +0400
Cc: bugtraq@xxxxxxxxxxxxxxxxx
In-reply-to: <qlky7l9qvnn.fsf@xxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Organization: http://www.security.nnov.ru
References: <qlk3b3i24iv.fsf@xxxxxxxxxxxxxx> <594492005.20070403122212@xxxxxxxxxxxxxxxx> <qlky7l9qvnn.fsf@xxxxxxxxxxxxxx>
Reply-to: 3APA3A <3APA3A@xxxxxxxxxxxxxxxx>

Dear Gaëtan LEURENT,

--Tuesday, April 3, 2007, 8:18:04 PM, you wrote to 3APA3A@xxxxxxxxxxxxxxxx:


GL> I meant practical in the sense that it does work in practice (it's not
GL> an attack needing 2^80 computations or something like that), but I don't
GL> know what are the practical implications of the attack :-)
GL> (to begin with, I don't know if many people are using APOP).

A  number  of  POP3  servers support APOP, but most of them require some
special configuration. And it seems like Mozilla attempts to use APOP if
APOP  banner  is  present  in  server  reply  and  no secure protocol is
configured.  So  yes,  it's  used,  but  mostly  as  an  alternative  to
cleartext.  Based  on  last  115000  sessions  statistics for ISP's mail
server with CRAM-MD5, APOP and NTLM support, ~7000 mailboxes:

  Cleartext: 96,3%
  APOP:      2,1%
  CRAM-MD5:  1%
  NTLM:      0.6%



-- 
~/ZARAZA http://securityvulns.com/

References:
- APOP vulnerability
  - From: Gaëtan LEURENT
- Re: APOP vulnerability
  - From: 3APA3A
- Re: APOP vulnerability
  - From: Gaëtan LEURENT

Prev by Date: Re: APOP vulnerability
Next by Date: Re: [Full-disclosure] More information on ZERT patch for ANI 0day
Previous by thread: Re: APOP vulnerability
Next by thread: iDefense Security Advisory 04.02.07: Hewlett-Packard Mercury Quality Center ActiveX Control ProgColor Buffer Overflow Vulnerability
Index(es):
- Date
- Thread