Closed
Bug 378113
Opened 18 years ago
Closed 18 years ago
APOP challenge string should be checked strictly (CVE-2007-1558)
Categories
(Thunderbird :: Security, defect)
Thunderbird
Security
Tracking
(Not tracked)
VERIFIED
DUPLICATE
of bug 373973
People
(Reporter: masa141421356, Assigned: dveditz)
References
()
Details
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; ja; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3
Build Identifier:
AOPO challenge should be checked strictly because it causes to Password Recovery Attack.
See "Extended APOP Password Recovery Attack" at http://fse2007.uni.lu/rump.html
or http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-1558
Reproducible: Always
Steps to Reproduce:
1.Attacker places malformed APOP Server.
2.Access to malformed APOP Server using Thunderbird
3.
Actual Results:
If Thunderbird does not check APOP challenge string strictly, attacker can recover password.
Expected Results:
Thunderbird should check APOP challenge string strictly.
If striclty check is already implemented, this bug should be INVALID.
If you can read Japanase, see http://www.ipa.go.jp/security/vuln/documents/2007/JVN_19445002.html
|
Reporter | |
Updated•18 years ago
|
Severity: normal → critical
|
|
Reporter | |
Updated•18 years ago
|
Summary: APOP challenge string should be checked strictly → APOP challenge string should be checked strictly (CVE-2007-1558)
|
|
Reporter | |
Comment 1•18 years ago
|
||
"APOP challenge string" in Comment #0 is <1896.697170952@dbc.mtview.ca.us> in floowing example. (it is quoted from RFC1939).
S: +OK POP3 server ready <1896.697170952@dbc.mtview.ca.us>
C: APOP mrose c4c9334bac560ecc979e58001b3e22fb
S: +OK maildrop has 1 message (369 octets)
|
|
Reporter | |
Comment 2•18 years ago
|
||
This is quoted from http://seclists.org/bugtraq/2007/Apr/0018.html ,
------------------------------
However, using the current techniques available to attack MD5, the
msg-ids sent by the server can easily be distinguished from genuine
ones as they will not respect the RFC specification. In particular,
they will contain non-ASCII characters. Therefore, as a security
countermeasure, mail user agents should reject msg-ids that does not
conform to the RFC.
-----------------------------
It is reason of this bug.
In RFC1939, Format of APOP challenge string (written as "timestamp" in RFC1939) is `msg-id' in RFC822.
In RFC822, msg-id format is
msg-id = "<" addr-spec ">" ; Unique message id
And addr-spec SHOULD contain ONLY ASCII characters (0x20 - 0x7E).
|
Assignee | |
Comment 3•18 years ago
|
||
This should be fixed in the next version of Thunderbird. Thank-you
Group: security
Status: UNCONFIRMED → RESOLVED
Closed: 18 years ago
Resolution: --- → DUPLICATE
|
|
Reporter | |
Updated•18 years ago
|
Status: RESOLVED → VERIFIED
You need to log in
before you can comment on or make changes to this bug.
Description
•