POP3 client with OpenSSL issue

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

POP3 client with OpenSSL issue

vinay krishna
Hello I am writing a POP3 client in C on ubuntu. I am using OpenSSl I am stuck in the AUTHORIZATION state! I send the user name and get a success response, and when i send the password , it always says -ERR bad command. I am sure the password is correct. Since i am using open ssl , wireshark was of not of much help. Heres how i am sending the password

scanf("%s",password);

sprintf(pass_cmd,"PASS %s\r\n",password);

sent = SSL_write(ssl, pass_cmd, strlen(pass_cmd));

pass_cmd is flushed and cleaned before used in write.The strlen is also giving a valid size including \r\n

Is this in anyway related to OpenSSL?


Any pointers will be greatly appreciated!!

Reply | Threaded
Open this post in threaded view
|

RE: POP3 client with OpenSSL issue

Dave Thompson-5
>From: [hidden email] On Behalf Of vinay krishna
>Sent: Sunday, 21 April, 2013 00:52

>Hello I am writing a POP3 client in C on ubuntu. I am using OpenSSl
>I am stuck in the AUTHORIZATION state! I send the user name and get
>a success response, and when i send the password , it always says
>-ERR bad command. I am sure the password is correct. Since i am

Are you sure the username is correct? Usual security practice has
long required, as RFC 1939 hints, that the feedback for a uid/pw
login should not indicate which one was bad nor in what way,
only that the *pair* is bad. This means that a bad USER
would still +OK and only the subsequent PASS would -ERR.
Although -ERR "bad command" is somewhat discourteous;
it could be a little more specific and still be secure.

>using open ssl , wireshark was of not of much help. Heres how

For recent versions of wireshark (about the last 2 years or so)
if your code gets the SSL_SESSION after handshake (i.e. after
SSL_connect or equivalent for a client) and _print's it to a file
which you give to wireshark it should be able to decrypt.
(And wireshark has vulnerabilities, at least loop or crash
vulnerabilities, often enough it's good to keep up to date.)

>i am sending the password

>scanf("%s",password);
>sprintf(pass_cmd,"PASS %s\r\n",password);

If either the input to password or the line to pass_cmd
exceeds the size of the respective buffer, this will
overrun memory and do unpredictably bad things.
The official C term for this is Undefined Behavior.
Use *scanf %<limit>s where limit is at most size-1,
and unless you've prearranged the sizes to fit,
either sprintf %.<limit>s or snprintf (standard in C99,
but widely available before and outside that).

Alternatively if this is the only data on an input line,
and I expect in this situation it would be, use fgets
and discard the \n if (and only if) it's there.

>sent = SSL_write(ssl, pass_cmd, strlen(pass_cmd));

>pass_cmd is flushed and cleaned before used in write.

What exactly is flush? Normally that is used for I/O
(write especially, less often read) and there is no I/O
before the SSL_write; the SSL_write IS the I/O.
Assuming clean means OPENSSL_cleanse or equivalent,
before the build (sprintf) or between that and write?
The former is useless; the latter would destroy exactly
the data you want to send, which is stupid. If you want
to clean it so you don't have it in memory, clean it after
sending. And clean password anytime after using it to
build pass_cmd. (It may be and often is convenient
to group all needed clean operations at the end
of the function body, just before the return --
assuming there is a single return, which is often but
not universally considered good programming practice.)

>The strlen is also giving a valid size including \r\n

But not after being cleaned, if in fact it is.

FWIW {,f,s,sn}printf returns the number of characters
written, excluding the null terminator, so you could
remember that and use that. Tomayto, tomahto.

>Is this in anyway related to OpenSSL?
       
Very unlikely. If you get an application level response -ERR
then your application level request got there.

If the server allows nonSSL access that might be easier
to debug. Alternatively, try connecting with commandline
s_client and typing the (few) commands manually. (It's
not easy to get the CR on terminal input at least on Unix,
but a Postelian server will likely accept plain-LF.)


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: POP3 client with OpenSSL issue

Viktor Dukhovni
On Sun, Apr 21, 2013 at 10:17:31PM -0400, Dave Thompson wrote:

> >scanf("%s",password);

This also mishandles passwords containing whitespace.  The code
looks so poor that my guess is that someone is asking us to do
their homework.

--
        Viktor.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Malware auto-response bot, take care...

Viktor Dukhovni

My previous post generated an auto-response from what is likely a
malware auto-response bot.  Best bet is to not follow the links.
This has been reported to Hotmail via spamcop.

[ Looks like Hotmail does not implement RFC 3834 as yet. ]

-- Suspected malware response below --

Return-Path: <>
Received: from col0-omc4-s9.col0.hotmail.com (col0-omc4-s9.col0.hotmail.com [65.55.34.211])
        by mournblade.imrryr.org (Postfix) with ESMTP id D09092AA8CF
        for <[hidden email]>; Mon, 22 Apr 2013 04:21:55 +0000 (UTC)
Received: from COL0-MC1-F41.Col0.hotmail.com ([65.55.34.199])
        by col0-omc4-s9.col0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675);
        Sun, 21 Apr 2013 21:19:55 -0700
To: [hidden email]
Date: Sun, 21 Apr 2013 21:19:55 -0700
Message-ID: <[hidden email]>
Content-Type: text/html; charset="iso-8859-1"
From: <[hidden email]>
Subject: Vacation reply
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0

http://qlapcineplex.com/go_search.php=

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: POP3 client with OpenSSL issue

vinay krishna
In reply to this post by Viktor Dukhovni
Thanks a lot for the reply Mr Dave!
The info on wireshark was really helpful. 
By flush I meant the buffer before being used in sprintf  was clean.


On Mon, Apr 22, 2013 at 9:48 AM, Viktor Dukhovni <[hidden email]> wrote:
On Sun, Apr 21, 2013 at 10:17:31PM -0400, Dave Thompson wrote:

> >scanf("%s",password);

This also mishandles passwords containing whitespace.  The code
looks so poor that my guess is that someone is asking us to do
their homework.

--
        Viktor.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]