Something else from BugTraq about Qpopper. -- Alan W. Rateliff, II : RATELIFF.NET Independent Technology Consultant : [EMAIL PROTECTED] (Office) 850/350-0260 : (Mobile) 850/559-0100 ------------------------------------------------------------- [System Administration][IT Consulting][Computer Sales/Repair]
----- Original Message ----- From: "Dennis Lubert" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Saturday, March 15, 2003 2:13 PM Subject: qpopper timing analysis on to determine if a username exists on a system > Hello, > > during development of a pop3 tool I found an issue that makes it possible > for any user to check the validity of a user on a target system. If a user > is valid and an invalid password has been supplied, then the system waits > ~10 seconds until it sends a disconnect message and disconnect. If the > username was not correct, then it disconnect immediately after the wrong > password. > > This makes it possible to scan a server for valid users, to generate spam > sending lists, or to check a username for another kind of attack. > > Tested against qpopper 3.1 and 4.0.4, others might be affected as well. > > Attached is the source code for a program that will do a simple check on a > pop3 server. Additionally qpopper will also return an answer if the > username supplied has a UID < 100 (< 10 for 3.1), which will also been checked. > > The fix should be simple, there must be a usleep() call or similar that > should either be deleted, or added also to the part where the username was > not correct. > > greets > > Dennis
poptest.cpp
Description: Binary data