Date: Tue, 4 Jun 1996 01:48:39 -0400 (EDT) From: James FitzGibbon <james@nexis.net> To: security@freebsd.org Cc: ports@freebsd.org Subject: Reply from the author of popper at Qualcomm (fwd) Message-ID: <Pine.BSI.3.93.960604014234.6954F-100000@bdd.net>
next in thread | raw e-mail | index | archive | help
I don't know if this thread from Bugtraq has found itself here yet; if so please disregard the vebosity of the message. The quick version of the thread is that Qualcomm's pop server (the "popper" port) can be fed an enourmous number of passwords, trying each in turn until one is successful without causing anything untoward in the logs. Qualcomm has reported that v2.2 of popper addresses these concerns as described below. The port of popper is still at v2.1.4.3, and as I understand it, is vulnerable. -- j. ---------------------------------------------------------------------------- | James FitzGibbon james@nexis.net | | Integrator, The Nexis Group Voice/Fax : 416 410-0100 | ---------------------------------------------------------------------------- ---------- Forwarded message ---------- Date: Mon, 3 Jun 1996 13:35:23 -0600 From: Pete Ashdown <pashdown@xmission.com> Reply-To: Bugtraq List <BUGTRAQ@NETSPACE.ORG> To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG> Subject: Reply from the author of popper at Qualcomm >From: mark@qualcomm.com (Mark Erikson) >Subject: Re: Not so much a bug as a warning of new brute force attack > (fwd) >Cc: "Brett L. Hawn" <blh@nol.net> >Content-Type: text/plain; charset="us-ascii" >Content-Length: 2744 > > > Version 2.2 has some features you might find interesting. > > 1) it blocks access to UIDs less than 11 by default. > 2) if the login fails, it waits 15 seconds and then exits. > 3) it logs all failed login attempts. > > The only other thing I can think of is to add a database which checks > for a number of failed logins and then disable the account if the number > is reached. > > Now, with APOP one can create a longer pass phrase which will > be much more difficult to guess, but the password database will be > independant of the unix account. > > qpopper 2.2 can be retrieved from: > > <ftp://ftp.qualcomm.com/quest/unix/servers/unix/qpop2.2.tar.Z> > > Mark
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSI.3.93.960604014234.6954F-100000>