lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
From: nexus at patrol.i-way.co.uk (Nexus)
Subject: Bugtraq postings from non-members may disclose some list-member's addresses

I have previously reported this issue to the vendors in June, from a
subscribed address ;-)
And yes, I did get a load from this as well.
#include <irony.h>

Cheers.

http://online.securityfocus.com/archive/82/275880
Trad.Goth Advisory #1

Name: Social Engineering of Administrators and Security Professionals
Type: Information Disclosure
Date: Daily
Application: External use only, all MTA's and E-mail Clients, always read
the label
Platform: All Platforms, especially tall ones that wobble a lot
Severity: Names, contact details and internal network infrastructure details
                can be enumerated, as can personnel absence
Author : Nexus <nexus@...rol.i-way.co.uk>
Vend Status: Out of Jolt.... bummer said Dougal
CVE: It's too common for a CVE Reference... well actually, I haven't asked
them

Overview

The names, contact details and presence at work of Administrators and
Security Professionals can be enumerated in a trivial fashion simply
by posting a single e-mail to a public mailing list.   The resulting
storm of Out Of Office Replies (OOOR's) will contain all the vital
information necessary to socially engineer and determine remote network
structure and implementation.   Personal mobile (n. cell phone, [US]),
pager (n. bleepy thing [UK]) numbers and other contact details can also
be revealed as can recent happy events such as births, deaths and marriages.
(Not that I am suggesting Death is always a happy occasion  but please
remember
that I'm a) a Trad.Goth (tm) , b) Divorced and c) hate Marilin Manson.)
In addition to this, the SMTP header can also reveal RFC 1918 addresses, MTA
and client versions, OS types, software version banners and any AV products
being used.

Effects

Certain levels of annoyance for anyone posting to a public mailing list,
probably major levels of annoyance for the poor Moderator that gets this
every time they remind the list to turn of OOOR's.
If your rather crowded OOOR'd inbox becomes an issue, I recommend forwarding
the details to your local K-RAD 31337 d00d Dept. or Trocedero Playgroup for
follow-up action.

Detailed Description:

1. Post an e-mail to a public mailing list.
2. Ermmmm....
3. That's it.
4. Await barrage of OOOR's.
5. Complain to anyone that is willing to listen.
6. Continued on Page 94.
7. Apologise to Private Eye for #6

Proof-of-Concept:

This advisory in itself provides full proof of concept, however, list
members
are encouraged to replicate this activity and review the rather full inbox
that results, in a wide variety of languages.   Contact details should be
followed up, preferably outside of the individuals working hours, so as to
convey
the importance of telling the entire world that you are not available.
Consideration should be given to reconfiguring your MTA's to send
YIKYAOOOSSSMOOOR
messages (Yes I Know You Are Out Of Office So Stop Sending Me Out Of Office
Replies)
to ensure that people are informed that you are In The Office.   Unless you
are out
of office of course.   If you are both in and out of the office at the same
time,
then please write an RFC for decoherance and the required number of qubits
to factor
yourself into the same place.

Temporary Workaround:

Inform the list Moderator and the list engine that you are out of office.
Please.
Pretty please with sugar on top.

Vendor Response:

The Vendor was unfortunately unavailable being Out Of Office.   However,
their contact details have been passed to the Insomniac Social Engineering
Dept. for further analysis and sold to Telemarketing companies.

Common Vulnerabilities and Exposures (CVE) Information:

The Common Vulnerabilities and Exposures (CVE) project
[http://cve.mitre.org]
has not assigned the following name to this issue - "Please Stop".
In fact, I have not contacted them at all since they only allow crayons
here.

Credits:

I would like to thank the "Big 5" consultantcy firm with the MTA at
10.26.104.85,
the South American bank with the Solaris box at 172.16.126.251 via the
Tid InfoMail Exchanger v2.20 server and the German ISP that likes IBM boxes,
including the MTA at 192.168.0.30 (nice open-source freeware AV solution
guys ;-)
and the other members of this list for supplying me with their emergency
contact
details.   Any particularly bad time to call ?

Greetz:

The Guys - y'know who you are... *wave*


----- Original Message -----
From: "Ka" <ka@...dr.net>
To: <bugtraq@...urityfocus.com>; <full-disclosure@...ts.netsys.com>
Sent: Thursday, September 26, 2002 5:22 PM
Subject: [Full-Disclosure] Bugtraq postings from non-members may disclose
some list-member's addresses


> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Greetings,
>
> yesterday I posted something to full-disclosure and at the same time
> to bugtraq, but did so unintentionally from an email address which
> is not subscribed to bugtraq (I simply responded to a posting from
> Gossi the dog with "reply to all").
>
> Intentionally I'm doing the same with this message -
> it's allways good to have a test case, isn't it? .o)
>
> As a result, I'm getting all the bouncing list-emails delivered back
> to me personally, i.e. all MTAs of members with delivery problems
> or vacation messages set up send their bounce message to me instead
> of back to the bugtraq administration.
>
> Obviously under the described circumstances the Return-Path: header
> is not set by the bugtraq list software.
>
> The few examples where the headers of my original posting where
> sent back to me as part of an "message undeliverable" error,
> show that the mail came from lists.securityfocus.com. The first
> MTA was allways specified as
>
> Received: from lists.securityfocus.com (lists.securityfocus.com
[205.206.231.19])
>         by outgoing.securityfocus.com (Postfix) with QMQP
>         id D55EEA373E; Wed, 25 Sep 2002 12:55:59 -0600 (MDT)
>
> And of course there was no Return-Path: set.
>
>
>
> Since yesterday I learned, which members have their mailbox full,
> are out of office, or fucked up their .forward files into
> undeliverabilty (if there is such a word in English).
> Not many members BTW, but enough for a good party.
>
>
>
> Severity: low
> Fun-Factor: high
> Vendor notified: neahneah - would've spoiled the fun otherwise.
>
>
> Have a nice day!
> Ka
> - --
> Better a newer mind than a never mind.
> But best to run around out of no mind.
> http://www.khidr.net/users/ka/pgpkey.asc
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.6 (GNU/Linux)
> Comment: For info see http://www.gnupg.org
>
> iD8DBQE9kzRX72vu22ltWBERAqLVAJ4iSWXnDvzhk8ipQ+G+oyEKLyWoEgCeIGWz
> 5ANkI0TLVQ2MjOfXPSEMP7c=
> =jwYF
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ