SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Client)  >   Apple Mail Vendors:   Apple
Apple Mail New Account Wizard May Disclose Passwords Via the Network
SecurityTracker Alert ID:  1013915
SecurityTracker URL:  http://securitytracker.com/id/1013915
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  May 9 2005
Impact:   Disclosure of authentication information
Exploit Included:  Yes  
Version(s): 2.0
Description:   A vulnerability was reported in Apple Mail in the new account wizard. The system may send a password over the network in plain text form.

When creating a new user account for an IMAP mail server where both SSL and non-SSL IMAP services are available, the wizard will attempt to login using the non-SSL IMAP service (port 143) before asking the user whether SSL should be used or not. As a result, the IMAP password will be transmitted over the network in plain text.

The vendor was notified on May 1, 2005, without reply.

Markus Woerle (mrks) reported this vulnerability.

Impact:   The user's IMAP password will be transmitted over the network in plain text.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.apple.com/ (Links to External Site)
Cause:   Access control error, State error
Underlying OS:  UNIX (macOS/OS X)

Message History:   None.


 Source Message Contents

Subject:  Mac OS 10.4: new-account-wizzard in Mail 2.0 sends clear-text passwords


Hello there!

I reported this bug at 01-May-2005 09:21 PM CEST to Apples bug- 
reporting facility (Problem ID: 4104391) without reply yet.

Summary:
At its first use, Mail.app 2.0 will launch a new-account-wizzard that  
leads through the account-creation process. This wizzard asks for a  
name, a loginname, a password and then tries to validate these  
informations by loging in. In case ones ISP offers an IMAP server  
with normal IMAP (port 143) and IMAP over SSL (port 933) the wizzard  
uses the insecure IMAP to login and validate the settings. This  
happens _before_ it asks whether to use SSL or not. In this case, the  
only chance not to scream out a password while creating the first  
account  is to use a wrong password or to disconnect from the internet.

Steps to Reproduce:
0. Make sure your email ISP provides IMAP and IMAP over SSL.
1. Launch Mail.app 2.0 the first time or use "File - Add Account..."
2. Create a new account, choose:
     Account Type: IMAP
     some account description
     your full name
     your email address
3. click "Continue"
4. Fill in:
     your incoming mail server
     your username
     your password
5. Launch some packet sniffing utillity (e.g. tcpdump, ngrep or  
something similar) to watch your inet device (especially ip port 143).
6. click "Continue". Mail.app will now validate your settings by  
logging in. It will use your IMAP without SSL by default and send  
your password clear-text through the net. Watch your packet sniffer.
7. On the next page you'll get asked whether to use SSL or not, but  
thats probably too late.

Expected Results:
The wizard should try to open a socket but don't log in, or ask  
whether to use SSL or not _before_ validating the account settings

Actual Results:
It opens a socket and logs in without giving the user the chance to  
activate SSL.

Notes:
* haven't tried this with POP and POPs
* maybe similar problems with SMTP-Auth if the SMTP server supports  
STARTTLS, but only AUTH PLAIN (and no AUTH CRAM-MD5) SASL authentication

Ciao!
mrks

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, SecurityGlobal.net LLC