From owner-freebsd-security Mon Jun 3 22:48:59 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id WAA17959 for security-outgoing; Mon, 3 Jun 1996 22:48:59 -0700 (PDT) Received: from bdd.net ([207.61.78.33]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id WAA17924; Mon, 3 Jun 1996 22:48:54 -0700 (PDT) Received: from localhost (james@localhost) by bdd.net (8.7.5/8.7.3) with SMTP id BAA06981; Tue, 4 Jun 1996 01:48:50 -0400 (EDT) Date: Tue, 4 Jun 1996 01:48:39 -0400 (EDT) From: James FitzGibbon To: security@freebsd.org cc: ports@freebsd.org Subject: Reply from the author of popper at Qualcomm (fwd) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk I don't know if this thread from Bugtraq has found itself here yet; if so please disregard the vebosity of the message. The quick version of the thread is that Qualcomm's pop server (the "popper" port) can be fed an enourmous number of passwords, trying each in turn until one is successful without causing anything untoward in the logs. Qualcomm has reported that v2.2 of popper addresses these concerns as described below. The port of popper is still at v2.1.4.3, and as I understand it, is vulnerable. -- j. ---------------------------------------------------------------------------- | James FitzGibbon james@nexis.net | | Integrator, The Nexis Group Voice/Fax : 416 410-0100 | ---------------------------------------------------------------------------- ---------- Forwarded message ---------- Date: Mon, 3 Jun 1996 13:35:23 -0600 From: Pete Ashdown Reply-To: Bugtraq List To: Multiple recipients of list BUGTRAQ Subject: Reply from the author of popper at Qualcomm >From: mark@qualcomm.com (Mark Erikson) >Subject: Re: Not so much a bug as a warning of new brute force attack > (fwd) >Cc: "Brett L. Hawn" >Content-Type: text/plain; charset="us-ascii" >Content-Length: 2744 > > > Version 2.2 has some features you might find interesting. > > 1) it blocks access to UIDs less than 11 by default. > 2) if the login fails, it waits 15 seconds and then exits. > 3) it logs all failed login attempts. > > The only other thing I can think of is to add a database which checks > for a number of failed logins and then disable the account if the number > is reached. > > Now, with APOP one can create a longer pass phrase which will > be much more difficult to guess, but the password database will be > independant of the unix account. > > qpopper 2.2 can be retrieved from: > > > > Mark