Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
This group should mostly be dealing with how web applications enable networking security issues that are otherwise not there. Everything is being tunneled over port 80 now so what does that enable and how do we fix it? 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
POP3
Posted by: lpilorz
Date: January 13, 2008 05:04PM

In some webmails there is an option to retrieve messages from external POP3 server. I found out some of them allow:
- connecting to internal network host of the company (by IP or hostname)
- selecting any port
- CRLF injection, like setting password to "secret\r\nquit" (but not CSRF-able)
Do you have some ideas for exploiting them? I thought of retrieving some local web content, but POP protocol is not good for it.



Edited 1 time(s). Last edit at 01/13/2008 05:29PM by lpilorz.

Options: ReplyQuote
Re: POP3
Posted by: rsnake
Date: January 13, 2008 09:10PM

Can you give some more information about what the interface looks like? How do you enter this information and where? Any specific information about the webmail servers themselves? That might help.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: POP3
Posted by: lpilorz
Date: January 18, 2008 05:46AM

It usually has the possibility to add an external pop3 account settings (host, username, password) and retrieve all contents at once. There is no option to RETR single entries. So I set host:port, user, pass, click OK, click "Import", and the server does:

user <my_input_here>
pass <my_input_here>
stat
list
retr 1
retr 2
...
quit

If the POP3 server replies with anything unexpected (or it does not send +OK after establishing connection), the connection is closed by webmail server. Both inputs can contain CRLF. The host:port is not checked, so I can put anything in there

I don't have source code access. Tested with:
http://lukasz.pilorz.net/testy/pop3/pop.pl

The error message is different if the connection can't be established, and different if there is POP3 protocol error.

Options: ReplyQuote
Re: POP3
Posted by: rsnake
Date: February 02, 2008 10:49PM

I'm still not sure I understand what you're saying. The script you've included is the POP3 server. So you have a webmail server that connects to that POP3 server and that POP3 server does what? That's the part I'm missing.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: POP3
Posted by: lpilorz
Date: February 03, 2008 11:28AM

I already found out, the only thing I could do is local network portscanning.

I tries using webmail to connect to other ports from it's server and simulating some other protocol using CRLF injection (could give access to local resources), but POP3 is not good for it. I though maybe someone had already played with such things and could give some ideas for using CRLF injection in POP3. The Perl server was just to check how does the webmail behave, because I did not have source code access. Anyway, I don't play with it anymore, thanks for willing to help me :)

Options: ReplyQuote


Sorry, only registered users may post in this forum.