OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Problems with FTGate
From: Jeremy C. Reed (jcrIWBC.NET)
Date: Tue Jun 27 2000 - 20:13:41 CDT

On Mon, 26 Jun 2000, Andrew Lewis wrote:

> FTGate's POP3 server responds to invalid USER requests with a -ERR code
> and doesn't disconnect you. This means that it is possible to bruteforce
> usernames and passwords with ease.

What does "invalid USER requests" mean? It is normal for (at least RFC
1939-based) POP3 servers to output an "-ERR" message and to then allow the
user to attempt another USER/PASS attempt.

From RFC 1939:

             To authenticate using the USER and PASS command
             combination, the client must first issue the USER
             command. If the POP3 server responds with a positive
             status indicator ("+OK"), then the client may issue
             either the PASS command to complete the authentication,
             or the QUIT command to terminate the POP3 session. If
             the POP3 server responds with a negative status indicator
             ("-ERR") to the USER command, then the client may either
             issue a new authentication command or may issue the QUIT
             command.

This issue (problem?) exists in several other POP3 servers, including the
patched (for virtual domains) version of gnu-pop3d that I use.

RFC 2449 has a capability idea called LOGIN-DELAY that may partially help
this problem. Since most POP3 connectsions are done via a script or a
program (not manually), I agree that a POP3 server should close the
connection after an "-ERR" in the authorization state. (Of course, a more
serious problem is using plain POP3 to transfer plain-text usernames and
passwords -- but that's another discussion.)

         Jeremy Reed

         http://www.iwbc.net/
         http://bsd.reedmedia.net/