Thread-topic: MOZILLA THUNDERBIRD SMTP DOWN-NEGOTIATION WEAKNESS
Здесь интересна методическая проработка всех вариантов атаки.
> Subject: Full-Disclosure Digest, Vol 8, Issue 31
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Fri, 14 Oct 2005 14:20:54 +0200
> From: Thomas Henlich <thomas@xxxxxxxxxx>
> Subject: [Full-disclosure] Mozilla Thunderbird SMTP down-negotiation
> weakness
> To: full-disclosure@xxxxxxxxxxxxxxxxx
> Message-ID: <434FA2A6.4070303@xxxxxxxxxx>
> Content-Type: text/plain; charset=ISO-8859-15
>
> MOZILLA THUNDERBIRD SMTP DOWN-NEGOTIATION WEAKNESS
>
> Thomas Henlich <thomas@xxxxxxxxxx>
>
> SUMMARY
>
> Mozilla Thunderbird SMTP down-negotiation behaviour allows a man-
> in-the-middle (MITM) attack to bypass TLS initialization and/or
> downgrade CRAM-MD5 to PLAIN authentication, leading to exposure
> of authentication information. Failure in CRAM-MD5 authentication
> also leads to exposure of authentication information to a passive
> eavesdropper.
>
> BACKGROUND
>
> Mozilla Thunderbird is a mail user agent with support for SMTP
> PLAIN and CRAM-MD5 authentication and for secure SMTP over TLS.
>
> CRAM-MD5 is a method for secure user authentication which avoids
> plaintext transmission of sensitive information (account/
> password). TLS is a security protocol to protect transmitted data
> against eavesdropping.
>
> AFFECTED VERSIONS
>
> - Mozilla Thunderbird 1.0.7 (20050923)
> - Mozilla Thunderbird 1.5 Beta 2 (20051006)
> - possibly other programs using the Mozilla mail component
>
> DESCRIPTION
>
> The SMTP negotiation in Mozilla Thunderbird is implemented in a
> way that if a secure data exchange (CRAM-MD5 or STARTTLS) between
> client and server can not be established, an insecure method is
> used instead. The user is not notified of this and can not cancel
> this insecure data exchange. An intermediate attacker can utilize
> this behaviour to gain sensitive account/password information. As
> CRAM-MD5 and TLS were designed to avoid eavesdropping attacks,
> currently the implementation of Mozilla's SMTP client fails to
> meet these design goals. Several methods of attack are possible:
>
> A1. Passive eavesdropping attack on CRAM-MD5 authentication
> failure
>
> Scenario
>
> - Client (C) Mozilla Thunderbird
> - SMTP server (S) which supports and advertises PLAIN and CRAM-
> MD5 authentication
> - Attacker A1 who can read network traffic from C to S
>
> Sequence of attack
>
> - User accidentally mistypes password (e.g. "secrez" instead
> "secret").
> - C tries CRAM-MD5 authentication which fails.
> - C retries with PLAIN authentication.
> - A1 can guess the correct password from sniffed connection.
>
> A2. One-way active MITM attack on CRAM-MD5 capability
> advertisement
>
> Scenario
>
> - Client (C) Mozilla Thunderbird
> - SMTP server (S) which supports and advertises PLAIN and CRAM-
> MD5 authentication.
> - Attacker A2 who can read network traffic from C to S and modify
> network traffic from S to C
>
> Sequence of attack
>
> - S sends EHLO response.
> - A2 discards S's SMTP authentication advertisement and sends
> "AUTH PLAIN" advertisement to C.
> - C connects with PLAIN authentication.
> - A2 can read cleartext password.
>
> A3. One-way active MITM attack on CRAM-MD5 authentication attempt
>
> Scenario
>
> - Client (C) Mozilla Thunderbird
> - SMTP server (S) which supports and advertises PLAIN and CRAM-
> MD5 authentication.
> - Attacker A3 who can read and modify network traffic from C to S
>
> Sequence of attack
>
> - S sends CRAM-MD5 challenge to C.
> - C sends authentication, but A3 transmits a different (random)
> response causing authentication to fail.
> - C reauthenticates with PLAIN authentication.
> - A3 can read cleartext password.
>
> A4. One-way active MITM attack on STARTTLS capability
> advertisement
>
> Scenario
>
> - Client (C) Mozilla Thunderbird
> - SMTP server which supports and advertises STARTTLS
> - Attacker A4 who can read network traffic from C to S and modify
> network traffic from S to C
>
> Sequence of attack
>
> - S sends EHLO response with STARTTLS advertisement.
> - A4 discards S's STARTTLS advertisement.
> - PLAIN authentication takes place.
> - A4 can read cleartext password.
>
> RESOLUTION
>
> For A1-A3 no resolution is known. For A4, set user preference to
> enforce TLS.
>
> PROOF OF CONCEPT
>
> A TCP proxy application demonstrating these weaknesses is
> available from
>
> TIMELINE
>
> - 2005-10-08: Opened Bugzilla Bug 311657
> - 2005-10-11: Reported to security@xxxxxxxxxxx
>
>
>
> ------------------------------
>
> End of Full-Disclosure Digest, Vol 8, Issue 31
> **********************************************
>
