Bug#3003: pop3d-1.007 bug

To: debian-bugs@pixar.com
Subject: Bug#3003: pop3d-1.007 bug
From: dragon@cc.gatech.edu (Jacob Langseth)
Date: Wed, 15 May 1996 15:48:12 -0400 (EDT)
Message-id: <[🔎] 199605151948.PAA24007@felix.cc.gatech.edu>
Reply-to: dragon@cc.gatech.edu, debian-bugs@Pixar.com

Package: netstd
Version: 2.02-1

pop3d-1.007 compiled w/ logging enabled has a bug causing it to log
mailbox statistics, regardless of whether the user successfully logged in.
It also does not disconnect after repeated login failures (lending itself
nicely to brute-forcing passwords), nor does it log the attempted username
(nitpick, I know, but I find it useful to know which accounts are under
attack).

I submit the following patch:

--- main.c-orig	Tue Nov 28 19:27:47 1995
+++ main.c	Thu Apr  4 16:18:35 1996
@@ -49,6 +49,9 @@
  *                              sessions; conditional compilation ( Thanks
  *				to David Wong, UC Davis for this work )
  *	1.007	07-29-94 [ks]	add '\r' to POP server greeting string
+ *	1.007a	04-04-96 [jwl]	log username for invalid passwords
+ *				close session after MAX_ATTEMPTS to login
+ *				never log mailbox stats (personal info)
  */

 #include <stdio.h>
@@ -71,14 +74,16 @@
 #define FACILITY	LOG_MAIL
 #endif

-#define VERSION		"1.007"
-#define REVDATE		"July, 1994"
+#define VERSION		"1.007a"
+#define REVDATE		"April, 1996"
+#define MAX_ATTEMPTS	3			/* maximum invalid logins */

 char *svr_hostname;				/* Hostname of POP3 server */
 char svr_buf[SVR_BUFSIZ+2];			/* Buffer for server I/O */
 char cli_user[CLI_BUFSIZ];			/* Save client username */
 int mcounter=0;
 int bcounter=0;
+int nLoginAttempts=0;

 static char *svr_invalid = "-ERR Invalid command; valid commands:";

@@ -246,11 +251,21 @@
 	inbuf += 4;
 	EATSPACE(inbuf);
 	if (verify_user(cli_user,inbuf) == -1) {
+		nLoginAttempts++;
 #ifdef LOG_SESSIONS
-		syslog(LOG_WARNING,"invalid password\n",inbuf);
+		if ( nLoginAttempts == 1 ) {
+			syslog(LOG_WARNING,"%d LOGIN FAILURE, %s\n", nLoginAttempts, cli_user);
+		} else {
+			syslog(LOG_WARNING,"%d LOGIN FAILURES, %s\n", nLoginAttempts, cli_user);
+		}
 #endif
+		if ( nLoginAttempts >= MAX_ATTEMPTS ) {
+			return(svr_shutdown());
+		}
 		strcpy(svr_buf,"-ERR invalid usercode or password, please try again\r\n");
 		return(SVR_AUTH_STATE);
+	} else {
+		nLoginAttempts=0;
 	}

 	strcpy(svr_buf,DEF_MAIL_DIR);
@@ -479,7 +494,9 @@
 	}
 	fld_release();		/* [1.003] Make sure folder is released */
 #ifdef LOG_SESSIONS
+	/* jwl 96.04.04 -- never log mailbox statistics
 	syslog( LOG_INFO | FACILITY, "User: %s (%d messages, %d octets retrieved)", cli_user, mcounter, bcounter);
+	*/
 	closelog();
 #endif
 #ifdef TLI


--
 Jacob Langseth  |  Meddle not in the affairs of dragons, for
    (Musashi)    |  thou art crunchy and go well with ketchup _
 =---------------+-----+--------------------------------------+
 dragon@cc.gatech.edu  | Finger for PGP key ..................|

Reply to:

Prev by Date: Bug#3004: manpages, bind file conflict /usr/man/man7/mailaddr.7
Next by Date: Bug#3007: segfault in strcpy is not debuggable
Previous by thread: Bug#3004: manpages, bind file conflict /usr/man/man7/mailaddr.7
Next by thread: Bug#3007: segfault in strcpy is not debuggable
Index(es):
- Date
- Thread