[15548] in bugtraq

home help back first fref pref prev next nref lref last post

Re: Problems with FTGate

daemon@ATHENA.MIT.EDU (Glynn Clements)
Thu Jun 29 14:20:46 2000

MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID:  <14682.61711.40555.690382@cerise.sensei.co.uk>
Date:         Thu, 29 Jun 2000 07:47:43 +0100
Reply-To: Glynn Clements <glynn@SENSEI.CO.UK>
From: Glynn Clements <glynn@SENSEI.CO.UK>
X-To:         "Jeremy C. Reed" <jcr@IWBC.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To:  <Pine.BSI.4.21.0006271755070.4595-100000@mail.postalzone.com>

Jeremy C. Reed wrote:

> > FTGate's POP3 server responds to invalid USER requests with a -ERR code
> > and doesn't disconnect you. This means that it is possible to bruteforce
> > usernames and passwords with ease.
>
> What does "invalid USER requests" mean? It is normal for (at least RFC
> 1939-based) POP3 servers to output an "-ERR" message and to then allow the
> user to attempt another USER/PASS attempt.
>
> From RFC 1939:
>
>              To authenticate using the USER and PASS command
>              combination, the client must first issue the USER
>              command.  If the POP3 server responds with a positive
>              status indicator ("+OK"), then the client may issue
>              either the PASS command to complete the authentication,
>              or the QUIT command to terminate the POP3 session.  If
>              the POP3 server responds with a negative status indicator
>              ("-ERR") to the USER command, then the client may either
>              issue a new authentication command or may issue the QUIT
>              command.

RFC 1939 goes on to say:

             The server may return a positive response even though no
             such mailbox exists.  The server may return a negative
             response if mailbox exists, but does not permit plaintext
             password authentication.

AFAIK, it is considered good practice not to make any distinction
between a bad username and a good username with a bad password when
performing username/password authentication.

The UCD-derived pop3d works this way:

	+OK cerise POP3 Server (Version 1.005l) ready at <Thu Jun 29 07:45:26 2000>
	USER foo
	+OK please send PASS command
	PASS xyz
	-ERR invalid usercode or password, please try again

[NB: user "foo" does not exist.]

--
Glynn Clements <glynn@sensei.co.uk>
home help back first fref pref prev next nref lref last post