Trad.Goth Advisory #1- Multiple Information Leaks in MTA's

From: Nexus (nexusat_private-way.co.uk)
Date: Fri Jun 07 2002 - 02:44:56 PDT

  • Next message: KF: "Re: Hesiod security"

    Trad.Goth Advisory #1
    
    Name: Social Engineering of Administrators and Security Professionals
    Type: Information Disclosure
    Date: Daily
    Application: External use only, all MTA's and E-mail Clients, always read
    the label
    Platform: All Platforms, especially tall ones that wobble a lot
    Severity: Names, contact details and internal network infrastructure details
                    can be enumerated, as can personnel absence
    Author : Nexus <nexusat_private-way.co.uk>
    Vend Status: Out of Jolt.... bummer said Dougal
    CVE: It's too common for a CVE Reference... well actually, I haven't asked
    them
    
    Overview
    
    The names, contact details and presence at work of Administrators and
    Security Professionals can be enumerated in a trivial fashion simply
    by posting a single e-mail to a public mailing list.   The resulting
    storm of Out Of Office Replies (OOOR's) will contain all the vital
    information necessary to socially engineer and determine remote network
    structure and implementation.   Personal mobile (n. cell phone, [US]),
    pager (n. bleepy thing [UK]) numbers and other contact details can also
    be revealed as can recent happy events such as births, deaths and marriages.
    (Not that I am suggesting Death is always a happy occasion  but please
    remember
    that I'm a) a Trad.Goth (tm) , b) Divorced and c) hate Marilin Manson.)
    In addition to this, the SMTP header can also reveal RFC 1918 addresses, MTA
    and client versions, OS types, software version banners and any AV products
    being used.
    
    Effects
    
    Certain levels of annoyance for anyone posting to a public mailing list,
    probably major levels of annoyance for the poor Moderator that gets this
    every time they remind the list to turn of OOOR's.
    If your rather crowded OOOR'd inbox becomes an issue, I recommend forwarding
    the details to your local K-RAD 31337 d00d Dept. or Trocedero Playgroup for
    follow-up action.
    
    Detailed Description:
    
    1. Post an e-mail to a public mailing list.
    2. Ermmmm....
    3. That's it.
    4. Await barrage of OOOR's.
    5. Complain to anyone that is willing to listen.
    6. Continued on Page 94.
    7. Apologise to Private Eye for #6
    
    Proof-of-Concept:
    
    This advisory in itself provides full proof of concept, however, list
    members
    are encouraged to replicate this activity and review the rather full inbox
    that results, in a wide variety of languages.   Contact details should be
    followed up, preferably outside of the individuals working hours, so as to
    convey
    the importance of telling the entire world that you are not available.
    Consideration should be given to reconfiguring your MTA's to send
    YIKYAOOOSSSMOOOR
    messages (Yes I Know You Are Out Of Office So Stop Sending Me Out Of Office
    Replies)
    to ensure that people are informed that you are In The Office.   Unless you
    are out
    of office of course.   If you are both in and out of the office at the same
    time,
    then please write an RFC for decoherance and the required number of qubits
    to factor
    yourself into the same place.
    
    Temporary Workaround:
    
    Inform the list Moderator and the list engine that you are out of office.
    Please.
    Pretty please with sugar on top.
    
    Vendor Response:
    
    The Vendor was unfortunately unavailable being Out Of Office.   However,
    their contact details have been passed to the Insomniac Social Engineering
    Dept. for further analysis and sold to Telemarketing companies.
    
    Common Vulnerabilities and Exposures (CVE) Information:
    
    The Common Vulnerabilities and Exposures (CVE) project
    [http://cve.mitre.org]
    has not assigned the following name to this issue - "Please Stop".
    In fact, I have not contacted them at all since they only allow crayons
    here.
    
    Credits:
    
    I would like to thank the "Big 5" consultantcy firm with the MTA at
    10.26.104.85,
    the South American bank with the Solaris box at 172.16.126.251 via the
    Tid InfoMail Exchanger v2.20 server and the German ISP that likes IBM boxes,
    including the MTA at 192.168.0.30 (nice open-source freeware AV solution
    guys ;-)
    and the other members of this list for supplying me with their emergency
    contact
    details.   Any particularly bad time to call ?
    
    Greetz:
    
    The Guys - y'know who you are... *wave*
    



    This archive was generated by hypermail 2b30 : Fri Jun 07 2002 - 08:52:48 PDT