[15538] in bugtraq
Re: Problems with FTGate
daemon@ATHENA.MIT.EDU (Jeremy C. Reed)
Wed Jun 28 19:47:46 2000
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-ID: <Pine.BSI.4.21.0006271755070.4595-100000@mail.postalzone.com>
Date: Tue, 27 Jun 2000 18:13:41 -0700
Reply-To: "Jeremy C. Reed" <jcr@IWBC.NET>
From: "Jeremy C. Reed" <jcr@IWBC.NET>
X-To: Andrew Lewis <wizdumb@UNIX.ZA.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.BSF.4.10.10006262019340.87758-100000@unix.za.net>
On Mon, 26 Jun 2000, Andrew Lewis wrote:
> FTGate's POP3 server responds to invalid USER requests with a -ERR code
> and doesn't disconnect you. This means that it is possible to bruteforce
> usernames and passwords with ease.
What does "invalid USER requests" mean? It is normal for (at least RFC
1939-based) POP3 servers to output an "-ERR" message and to then allow the
user to attempt another USER/PASS attempt.
From RFC 1939:
To authenticate using the USER and PASS command
combination, the client must first issue the USER
command. If the POP3 server responds with a positive
status indicator ("+OK"), then the client may issue
either the PASS command to complete the authentication,
or the QUIT command to terminate the POP3 session. If
the POP3 server responds with a negative status indicator
("-ERR") to the USER command, then the client may either
issue a new authentication command or may issue the QUIT
command.
This issue (problem?) exists in several other POP3 servers, including the
patched (for virtual domains) version of gnu-pop3d that I use.
RFC 2449 has a capability idea called LOGIN-DELAY that may partially help
this problem. Since most POP3 connectsions are done via a script or a
program (not manually), I agree that a POP3 server should close the
connection after an "-ERR" in the authorization state. (Of course, a more
serious problem is using plain POP3 to transfer plain-text usernames and
passwords -- but that's another discussion.)
Jeremy Reed
http://www.iwbc.net/
http://bsd.reedmedia.net/
