Dear Gaëtan LEURENT, --Monday, April 2, 2007, 7:13:28 PM, you wrote to bugtraq@securityfocus.com:
GL> CVE-Id: GL> CVE-2007-1558 GL> Short description: GL> Security vulnerability in the APOP protocol, related to recent GL> collision attacks by Wang and al. against MD5. Using the man in the GL> middle setting, one can recover the first characters of the password GL> with a few hundred authentications from the client. <skip> GL> This attack is really a practical one: it needs about an hour of GL> computation and a few hundred authentications from the client, and can GL> recover three password characters (brute-forcing 5 characters is a GL> matter of hours). I tested it against Thunderbird, Evolution, mutt, GL> and fetchmail, and it does work. While it's really a weakness in APOP protocol, I don't share opinion this attack is practical, because there are few factors: First, it requires stable _active_ Man-in-the-middle attack, that is ability to spoof replies from and to server. Under this condition attacker can do a lot of harm without APOP, e.g. inject malware into content of trusted web page or even attempt to spoof certificates for encrypted protocols. Additionally, under these conditions (challenge is choosen by attacker) rainbow tables can be used against APOP. Using rainbow tables seems more practical for 8-character password. Second, under these conditions attacker already has access to the mailbox content. After session is authenticated, attacker can inject any commands and retrieve any message, even if it's not requested by the client. Cleartext password gives no additional information for the attacker, unless the same password is used for something else. In case of APOP it's not likely same password is used for something else, because this authentication is 1. only used in POP3 and, 2. unlike CRAM- and DIGEST- authentications, server must store cleartext or reversable password. Third, during this attack client can not authenticate with a server. In case of active MitM, attacker can hide this fact from the client by making false positive response showing an empty mailbox. Depending on mailbox usage, it may be detected by the client that messages are delayed, even if you allow 50% of authentications to pass. -- ~/ZARAZA http://securityvulns.com/
