Package: dsniff
Version: 2.4b1+debian-21.1
Severity: normal
Tags: patch upstream
The POP decoder included in the dsniff program fails to
extract authentication information from a connection made
by thunderbird/icedove using AUTH PLAIN; instead, random
data is printed to the screen.
The attached patch rewrites the decoder to implement correct
extraction of USER/PASS, AUTH PLAIN and AUTH LOGIN credentials.
-- System Information:
Debian Release: 6.0.3
APT prefers stable
APT policy: (990, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-5-vserver-amd64 (SMP w/8 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages dsniff depends on:
ii libc6 2.11.2-10 Embedded GNU C Library: Shared lib
pn libdb4.6 <none> (no description available)
pn libnet1 <none> (no description available)
pn libnids1.21 <none> (no description available)
ii libpcap0.8 1.1.1-2+squeeze1 system interface for user-level pa
ii libssl0.9.8 0.9.8o-4squeeze3 SSL shared libraries
ii openssl 0.9.8o-4squeeze3 Secure Socket Layer (SSL) binary a
Versions of packages dsniff recommends:
ii libx11-6 2:1.3.3-4 X11 client-side library
dsniff suggests no packages.
>From b05e27ba9b0ba9ef00ad2183933652e08d8c89af Mon Sep 17 00:00:00 2001
From: Stefan Tomanek <ste...@pico.ruhr.de>
Date: Sat, 29 Oct 2011 20:48:55 +0200
Subject: [PATCH] rewrite and modernize POP decoder
Signed-off-by: Stefan Tomanek <ste...@pico.ruhr.de>
---
decode_pop.c | 96 ++++++++++++++++++++++++++++++++++++++++++++++-----------
1 files changed, 77 insertions(+), 19 deletions(-)
diff --git a/decode_pop.c b/decode_pop.c
index 04044f5..767da41 100644
--- a/decode_pop.c
+++ b/decode_pop.c
@@ -6,6 +6,8 @@
* Copyright (c) 2000 Dug Song <dugs...@monkey.org>
*
* $Id: decode_pop.c,v 1.4 2001/03/15 08:33:02 dugsong Exp $
+ *
+ * Rewritten by Stefan Tomanek 2011 <ste...@pico.ruhr.de>
*/
#include "config.h"
@@ -45,32 +47,88 @@ int
decode_pop(u_char *buf, int len, u_char *obuf, int olen)
{
char *p;
+ char *s;
+ int n;
int i, j;
+ char *user;
+ char *password;
+ enum {
+ NONE,
+ AUTHPLAIN,
+ AUTHLOGIN,
+ USERPASS
+ } mode = NONE;
+
obuf[0] = '\0';
for (p = strtok(buf, "\r\n"); p != NULL; p = strtok(NULL, "\r\n")) {
- if (strncasecmp(p, "AUTH PLAIN", 10) == 0 ||
- strncasecmp(p, "AUTH LOGIN", 10) == 0) {
- strlcat(obuf, p, olen);
- strlcat(obuf, "\n", olen);
-
- /* Decode SASL auth. */
- for (i = 0; i < 2 && (p = strtok(NULL, "\r\n")); i++) {
- strlcat(obuf, p, olen);
- j = base64_pton(p, p, strlen(p));
- p[j] = '\0';
- strlcat(obuf, " [", olen);
- strlcat(obuf, p, olen);
- strlcat(obuf, "]\n", olen);
+ if (mode == NONE) {
+ user = NULL;
+ password = NULL;
+ if (strncasecmp(p, "AUTH PLAIN", 10) == 0) {
+ mode = AUTHPLAIN;
+ continue;
+ }
+ if (strncasecmp(p, "AUTH LOGIN", 10) == 0) {
+ mode = AUTHLOGIN;
+ continue;
+ }
+ if (strncasecmp(p, "USER ", 5) == 0) {
+ mode = USERPASS;
+ /* the traditional login cuts right to the case,
+ * so no continue here
+ */
}
}
- /* Save regular POP2, POP3 auth info. */
- else if (strncasecmp(p, "USER ", 5) == 0 ||
- strncasecmp(p, "PASS ", 5) == 0 ||
- strncasecmp(p, "HELO ", 5) == 0) {
- strlcat(obuf, p, olen);
- strlcat(obuf, "\n", olen);
+ printf("(%d) %s\n", mode, p);
+ if (mode == USERPASS) {
+ if (strncasecmp(p, "USER ", 5) == 0) {
+ user = &p[5];
+ } else if (strncasecmp(p, "PASS ", 5) == 0) {
+ password = &p[5];
+ }
+ }
+
+ if (mode == AUTHPLAIN) {
+ j = base64_pton(p, p, strlen(p));
+ p[j] = '\0';
+ n = 0;
+ s = p;
+ /* p consists of three parts, divided by \0 */
+ while (s <= &p[j] && n<=3) {
+ if (n == 0) {
+ /* we do not process this portion yet */
+ } else if (n == 1) {
+ user = s;
+ } else if (n == 2) {
+ password = s;
+ }
+ n++;
+ while (*s) s++;
+ s++;
+ }
+ }
+
+ if (mode == AUTHLOGIN) {
+ j = base64_pton(p, p, strlen(p));
+ p[j] = '\0';
+ if (! user) {
+ user = p;
+ } else {
+ password = p;
+ /* got everything we need :-) */
+ }
+ }
+
+ if (user && password) {
+ strlcat(obuf, "\nusername [", olen);
+ strlcat(obuf, user, olen);
+ strlcat(obuf, "] password [", olen);
+ strlcat(obuf, password, olen);
+ strlcat(obuf, "]\n", olen);
+
+ mode = NONE;
}
}
return (strlen(obuf));
--
1.7.5.4
