The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Protocol POP

vulnerability announce CVE-2007-1558

POP: man in the middle attack on APOP

Synthesis of the vulnerability

An attacker can obtain information on password during a APOP authentication.
Impacted products: Fedora, Mandriva Linux, Windows (platform) ~ not comprehensive, SeaMonkey, Thunderbird, openSUSE, POP protocol, RHEL, SLES, Unix (platform) ~ not comprehensive.
Severity: 1/4.
Consequences: data reading.
Provenance: intranet client.
Creation date: 03/04/2007.
Revision date: 04/04/2007.
Identifiers: 20070502-01-P, 20070601-01-P, 20070602-01-P, APOP_FSE07, BID-23257, CVE-2007-1558, FEDORA-2007-0001, FEDORA-2007-1447, FEDORA-2007-484, FEDORA-2007-485, FEDORA-2007-539, FEDORA-2007-540, fetchmail-SA-2007-01, MDKSA-2007:105, MDKSA-2007:107, MDKSA-2007:113, RHSA-2007:0344-01, RHSA-2007:0353-01, RHSA-2007:0385-01, RHSA-2007:0386-01, RHSA-2009:1140-02, SUSE-SR:2007:014, VIGILANCE-VUL-6702.

Description of the vulnerability

RFC 1939 defines the APOP command to not have the password in clear on the network:
 - server sends a "<process-ID.clock@hostname>" timestamp
 - client computes and sends "md5(timestamp concatened_to password)"

In 2004, Wang, Feng, Lai and Yu researchers proposed an attack against MD5 algorithm permitting to generate collisions, such as:
  md5(string1) = md5(string2)

This attack can be used against APOP:
 - Attacker is a man in the middle, does not change data, and just adds APOP exchanges toward client to conducts his tests.
 - Attacker computes string1="timestamp1X" and string2="timestamp2X", where X is the character to test and strings generates a collision and length of strings is the same as length of md5 blocks (64 bytes)
 - Attacker sends timestamp1 and stores its answer.
 - Attacker sends timestamp2 and stores its answer.
 - If answers are the same, it means that X character was correctly guessed. Else, attacker choose another character and computes two new strings and loops.
 - When a character is successfully guessed, attacker computes string1="timestamp3XY" and string2="timestamp4XY", and loops.
This attack is currently limited to 3 characters, because of limits in string generation method proposed by Wang.

An attacker can therefore be a man in the middle and guess first characters of user's password. This attack is practical against APOP because client does not send a random, and hashed password is sent automatically by mail user agents.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Protocol POP: