Package: dsniff Version: 2.4b1+debian-21.1 Severity: normal Tags: patch upstream
The POP decoder included in the dsniff program fails to extract authentication information from a connection made by thunderbird/icedove using AUTH PLAIN; instead, random data is printed to the screen. The attached patch rewrites the decoder to implement correct extraction of USER/PASS, AUTH PLAIN and AUTH LOGIN credentials. -- System Information: Debian Release: 6.0.3 APT prefers stable APT policy: (990, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 2.6.32-5-vserver-amd64 (SMP w/8 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages dsniff depends on: ii libc6 2.11.2-10 Embedded GNU C Library: Shared lib pn libdb4.6 <none> (no description available) pn libnet1 <none> (no description available) pn libnids1.21 <none> (no description available) ii libpcap0.8 1.1.1-2+squeeze1 system interface for user-level pa ii libssl0.9.8 0.9.8o-4squeeze3 SSL shared libraries ii openssl 0.9.8o-4squeeze3 Secure Socket Layer (SSL) binary a Versions of packages dsniff recommends: ii libx11-6 2:1.3.3-4 X11 client-side library dsniff suggests no packages.
>From b05e27ba9b0ba9ef00ad2183933652e08d8c89af Mon Sep 17 00:00:00 2001 From: Stefan Tomanek <ste...@pico.ruhr.de> Date: Sat, 29 Oct 2011 20:48:55 +0200 Subject: [PATCH] rewrite and modernize POP decoder Signed-off-by: Stefan Tomanek <ste...@pico.ruhr.de> --- decode_pop.c | 96 ++++++++++++++++++++++++++++++++++++++++++++++----------- 1 files changed, 77 insertions(+), 19 deletions(-) diff --git a/decode_pop.c b/decode_pop.c index 04044f5..767da41 100644 --- a/decode_pop.c +++ b/decode_pop.c @@ -6,6 +6,8 @@ * Copyright (c) 2000 Dug Song <dugs...@monkey.org> * * $Id: decode_pop.c,v 1.4 2001/03/15 08:33:02 dugsong Exp $ + * + * Rewritten by Stefan Tomanek 2011 <ste...@pico.ruhr.de> */ #include "config.h" @@ -45,32 +47,88 @@ int decode_pop(u_char *buf, int len, u_char *obuf, int olen) { char *p; + char *s; + int n; int i, j; + char *user; + char *password; + enum { + NONE, + AUTHPLAIN, + AUTHLOGIN, + USERPASS + } mode = NONE; + obuf[0] = '\0'; for (p = strtok(buf, "\r\n"); p != NULL; p = strtok(NULL, "\r\n")) { - if (strncasecmp(p, "AUTH PLAIN", 10) == 0 || - strncasecmp(p, "AUTH LOGIN", 10) == 0) { - strlcat(obuf, p, olen); - strlcat(obuf, "\n", olen); - - /* Decode SASL auth. */ - for (i = 0; i < 2 && (p = strtok(NULL, "\r\n")); i++) { - strlcat(obuf, p, olen); - j = base64_pton(p, p, strlen(p)); - p[j] = '\0'; - strlcat(obuf, " [", olen); - strlcat(obuf, p, olen); - strlcat(obuf, "]\n", olen); + if (mode == NONE) { + user = NULL; + password = NULL; + if (strncasecmp(p, "AUTH PLAIN", 10) == 0) { + mode = AUTHPLAIN; + continue; + } + if (strncasecmp(p, "AUTH LOGIN", 10) == 0) { + mode = AUTHLOGIN; + continue; + } + if (strncasecmp(p, "USER ", 5) == 0) { + mode = USERPASS; + /* the traditional login cuts right to the case, + * so no continue here + */ } } - /* Save regular POP2, POP3 auth info. */ - else if (strncasecmp(p, "USER ", 5) == 0 || - strncasecmp(p, "PASS ", 5) == 0 || - strncasecmp(p, "HELO ", 5) == 0) { - strlcat(obuf, p, olen); - strlcat(obuf, "\n", olen); + printf("(%d) %s\n", mode, p); + if (mode == USERPASS) { + if (strncasecmp(p, "USER ", 5) == 0) { + user = &p[5]; + } else if (strncasecmp(p, "PASS ", 5) == 0) { + password = &p[5]; + } + } + + if (mode == AUTHPLAIN) { + j = base64_pton(p, p, strlen(p)); + p[j] = '\0'; + n = 0; + s = p; + /* p consists of three parts, divided by \0 */ + while (s <= &p[j] && n<=3) { + if (n == 0) { + /* we do not process this portion yet */ + } else if (n == 1) { + user = s; + } else if (n == 2) { + password = s; + } + n++; + while (*s) s++; + s++; + } + } + + if (mode == AUTHLOGIN) { + j = base64_pton(p, p, strlen(p)); + p[j] = '\0'; + if (! user) { + user = p; + } else { + password = p; + /* got everything we need :-) */ + } + } + + if (user && password) { + strlcat(obuf, "\nusername [", olen); + strlcat(obuf, user, olen); + strlcat(obuf, "] password [", olen); + strlcat(obuf, password, olen); + strlcat(obuf, "]\n", olen); + + mode = NONE; } } return (strlen(obuf)); -- 1.7.5.4