Gather all mailing list members through SMTP expn command

Summary
Description:In some cases it is possible to determine all the subscribers of a mailing list, even if you have disabled commands like "who" in your majordomo (or other listserv) software.
Author:"Christopher M. Conway" <cmconwa@SANDIA.GOV>
Compromise:unauthorized people can obtain subscriber lists.
Vulnerable Systems:Those running majordomo in a vulnerable fashion
Date:22 October 1997
Details


Date: Wed, 22 Oct 1997 10:25:27 -0600
From: "Christopher M. Conway" <cmconwa@SANDIA.GOV>
To: BUGTRAQ@NETSPACE.ORG
Subject: Re: Majordomo and EXPN

This is actually correctable by putting the arguments for resend into a file...
local users could still get at the data (potentially) by grabbing the
file if it's not protected, but remote users can't. You still have the
problem that someone could conceivably guess the actual alias that you're
using-- but that problem exists regardless. At any rate, you can see what
I mean from my system. It's not online right now (periodic connections to
the net), but you'll see something like this from an expn:

expn mylist
250 <"|/usr/local/mail/majordomo/wrapper resend @mylist.resend"@myhost.com>
expn mylist-outgoing
550 mylist-outgoing... User unknown
expn mylist-code1389110-outgoing
250 .... the whole list of subscribers ...

(Since my system isn't online right now, I can't verify that this is *exactly*
what it looks like, nor the exact syntax for resend, but it's something
like that).

mylist.resend actually has the arguments including the actual outgoing alias.
So, you'd have to guess that the actual outgoing address has that arbitrary
stuff in it (-code1389110-)-- which is exactly how I cobble up those addresses.
(not that exactly, of course, but it's similar.)

Now, I've got to fix something in sendmail, however, that puts that address
(the actual outgoing alias) in the headers of the messages-- so once someone
subscribes, they *could* get access to the whole list.

(Note: these lists are run from my own domain, not sandia.)

--
Christopher M. Conway           U*IX and C Guru         Don't Tread on Me
cmconwa@sandia.gov              wombat@prickly-wombat.com
We must all hang together, or, most assuredly, we will all hang separately.
I'll be post-feminist in the post-patriarchy.

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces:

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]