Gather all mailing list members through SMTP expn command
|Description:||In some cases it is possible to determine all the subscribers of a mailing list, even if you have disabled commands like "who" in your majordomo (or other listserv) software.|
|Author:||"Christopher M. Conway" <cmconwa@SANDIA.GOV>|
|Compromise:||unauthorized people can obtain subscriber lists.|
|Vulnerable Systems:||Those running majordomo in a vulnerable fashion |
|Date:||22 October 1997 |
Date: Wed, 22 Oct 1997 10:25:27 -0600
From: "Christopher M. Conway" <cmconwa@SANDIA.GOV>
Subject: Re: Majordomo and EXPN
This is actually correctable by putting the arguments for resend into a file...
local users could still get at the data (potentially) by grabbing the
file if it's not protected, but remote users can't. You still have the
problem that someone could conceivably guess the actual alias that you're
using-- but that problem exists regardless. At any rate, you can see what
I mean from my system. It's not online right now (periodic connections to
the net), but you'll see something like this from an expn:
250 <"|/usr/local/mail/majordomo/wrapper resend @mylist.resend"@myhost.com>
550 mylist-outgoing... User unknown
250 .... the whole list of subscribers ...
(Since my system isn't online right now, I can't verify that this is *exactly*
what it looks like, nor the exact syntax for resend, but it's something
mylist.resend actually has the arguments including the actual outgoing alias.
So, you'd have to guess that the actual outgoing address has that arbitrary
stuff in it (-code1389110-)-- which is exactly how I cobble up those addresses.
(not that exactly, of course, but it's similar.)
Now, I've got to fix something in sendmail, however, that puts that address
(the actual outgoing alias) in the headers of the messages-- so once someone
subscribes, they *could* get access to the whole list.
(Note: these lists are run from my own domain, not sandia.)
Christopher M. Conway U*IX and C Guru Don't Tread on Me
We must all hang together, or, most assuredly, we will all hang separately.
I'll be post-feminist in the post-patriarchy.
The master index of all exploits is available
here (Very large file)
Or you can pick your favorite operating system:
This page is part of Fyodor's exploit
For a free program to automate scanning your network for vulnerable
hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: