by Tan Chew Keong
Release Date: 2008-04-27
A vulnerability has been found in E-Post Mail Server. When exploited, the vulnerability allows an anonymous attacker to obtain the POP3 password of any known user from the POP3 service without requiring any logon.
The vendor also issues a patch for E-Post Mail Server Enterprise Version 4.10.
This advisory discloses a vulnerability in the POP3 service of the E-Post Email Server. When exploited, the vulnerability allows an anonymous attacker to obtain the POP3 password of any known user from the POP3 service without requiring any logon. Successful exploit requires that the attacker knows the POP3 account name (email address) of the victim.
By issuing several specially-crafted APOP commands to the POP3 server, the user's password will be displayed back to the attacker in the POP3 error message. The vulnerability is due to a coding error in the APOP processing code in EPSTPOP3S.EXE 4.22, and is not related in any way to the MD5 collision weakness in APOP authentication. Full details of the vulnerability was sent to the vendor, but omitted from this advisory.
For example, in the screenshot below, the password of testuser1 is revealed as topsecret123.
POC / Test Code
Details of how to reproduce the issue was sent to vendor.
Patch / Workaround
The vulnerability was fixed in EPSTPOP3S.EXE version 4.23. Vendor's advisory in Japanese.
2008-04-17 - Vulnerability Discovered.
2008-04-17 - Initial Vendor Notification.
2008-04-18 - Initial Vendor Reply.
2008-04-18 - Vulnerability Details Sent to Vendor.
2008-04-22 - Vendor Releases Advisory.
2008-04-22 - Downloaded new installation package, tested it, and found that EPSTPOP3S.EXE has been updated to 4.23 and issue is fixed.
2008-04-27 - Public Release.