qpopper timing analysis on to determine if a username exists on a system

• Previous message: Jason Coombs: "A response to Bruce Schneier on MS patch management and Sapphire"
• Next in thread: Waldo Nell: "Re: qpopper timing analysis on to determine if a username exists on a system"
• Reply: Waldo Nell: "Re: qpopper timing analysis on to determine if a username exists on a system"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sat, 15 Mar 2003 20:13:43 +0100
To: bugtraq@securityfocus.com
From: Dennis Lubert <plasmahh@informatik.uni-bremen.de>

Hello,

during development of a pop3 tool I found an issue that makes it possible
for any user to check the validity of a user on a target system. If a user
is valid and an invalid password has been supplied, then the system waits
~10 seconds until it sends a disconnect message and disconnect. If the
username was not correct, then it disconnect immediately after the wrong
password.

This makes it possible to scan a server for valid users, to generate spam
sending lists, or to check a username for another kind of attack.

Tested against qpopper 3.1 and 4.0.4, others might be affected as well.

Attached is the source code for a program that will do a simple check on a
pop3 server. Additionally qpopper will also return an answer if the
username supplied has a UID < 100 (< 10 for 3.1), which will also been checked.

The fix should be simple, there must be a usleep() call or similar that
should either be deleted, or added also to the part where the username was
not correct.

greets

Dennis

• text/plain attachment: poptest.cpp

• Previous message: Jason Coombs: "A response to Bruce Schneier on MS patch management and Sapphire"
• Next in thread: Waldo Nell: "Re: qpopper timing analysis on to determine if a username exists on a system"
• Reply: Waldo Nell: "Re: qpopper timing analysis on to determine if a username exists on a system"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]