exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

thunderbirdWeak.txt

thunderbirdWeak.txt
Posted Oct 27, 2005
Authored by Thomas Henlich

Mozilla Thunderbird SMTP down-negotiation behavior allows a man-in-the-middle (MITM) attack to bypass TLS initialization and/or downgrade CRAM-MD5 to PLAIN authentication, leading to exposure of authentication information. Failure in CRAM-MD5 authentication also leads to exposure of authentication information to a passive eavesdropper. Affected versions: Mozilla Thunderbird 1.0.7 (20050923), Mozilla Thunderbird 1.5 Beta 2 (20051006), possibly other programs using the Mozilla mail component.

tags | advisory
SHA-256 | d7c2c62f53981de1b1e61fbb11de9278cff73769ab86c648b175814f320ba698

thunderbirdWeak.txt

Change Mirror Download
MOZILLA THUNDERBIRD SMTP DOWN-NEGOTIATION WEAKNESS

Thomas Henlich <thomas@henlich.de>

SUMMARY

Mozilla Thunderbird SMTP down-negotiation behaviour allows a man-
in-the-middle (MITM) attack to bypass TLS initialization and/or
downgrade CRAM-MD5 to PLAIN authentication, leading to exposure
of authentication information. Failure in CRAM-MD5 authentication
also leads to exposure of authentication information to a passive
eavesdropper.

BACKGROUND

Mozilla Thunderbird is a mail user agent with support for SMTP
PLAIN and CRAM-MD5 authentication and for secure SMTP over TLS.

CRAM-MD5 is a method for secure user authentication which avoids
plaintext transmission of sensitive information (account/
password). TLS is a security protocol to protect transmitted data
against eavesdropping.

AFFECTED VERSIONS

- Mozilla Thunderbird 1.0.7 (20050923)
- Mozilla Thunderbird 1.5 Beta 2 (20051006)
- possibly other programs using the Mozilla mail component

DESCRIPTION

The SMTP negotiation in Mozilla Thunderbird is implemented in a
way that if a secure data exchange (CRAM-MD5 or STARTTLS) between
client and server can not be established, an insecure method is
used instead. The user is not notified of this and can not cancel
this insecure data exchange. An intermediate attacker can utilize
this behaviour to gain sensitive account/password information. As
CRAM-MD5 and TLS were designed to avoid eavesdropping attacks,
currently the implementation of Mozilla's SMTP client fails to
meet these design goals. Several methods of attack are possible:

A1. Passive eavesdropping attack on CRAM-MD5 authentication
failure

Scenario

- Client (C) Mozilla Thunderbird
- SMTP server (S) which supports and advertises PLAIN and CRAM-
MD5 authentication
- Attacker A1 who can read network traffic from C to S

Sequence of attack

- User accidentally mistypes password (e.g. "secrez" instead
"secret").
- C tries CRAM-MD5 authentication which fails.
- C retries with PLAIN authentication.
- A1 can guess the correct password from sniffed connection.

A2. One-way active MITM attack on CRAM-MD5 capability
advertisement

Scenario

- Client (C) Mozilla Thunderbird
- SMTP server (S) which supports and advertises PLAIN and CRAM-
MD5 authentication.
- Attacker A2 who can read network traffic from C to S and modify
network traffic from S to C

Sequence of attack

- S sends EHLO response.
- A2 discards S's SMTP authentication advertisement and sends
"AUTH PLAIN" advertisement to C.
- C connects with PLAIN authentication.
- A2 can read cleartext password.

A3. One-way active MITM attack on CRAM-MD5 authentication attempt

Scenario

- Client (C) Mozilla Thunderbird
- SMTP server (S) which supports and advertises PLAIN and CRAM-
MD5 authentication.
- Attacker A3 who can read and modify network traffic from C to S

Sequence of attack

- S sends CRAM-MD5 challenge to C.
- C sends authentication, but A3 transmits a different (random)
response causing authentication to fail.
- C reauthenticates with PLAIN authentication.
- A3 can read cleartext password.

A4. One-way active MITM attack on STARTTLS capability
advertisement

Scenario

- Client (C) Mozilla Thunderbird
- SMTP server which supports and advertises STARTTLS
- Attacker A4 who can read network traffic from C to S and modify
network traffic from S to C

Sequence of attack

- S sends EHLO response with STARTTLS advertisement.
- A4 discards S's STARTTLS advertisement.
- PLAIN authentication takes place.
- A4 can read cleartext password.

RESOLUTION

For A1-A3 no resolution is known. For A4, set user preference to
enforce TLS.

PROOF OF CONCEPT

A TCP proxy application demonstrating these weaknesses is
available from http://www.henlich.de/moz-smtp/stcppipe-x.zip

TIMELINE

- 2005-10-08: Opened Bugzilla Bug 311657
- 2005-10-11: Reported to security@mozilla.org


Login or Register to add favorites

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close