Re: MS Entourage (on OS X) sends information about internal network

["Paul D. Robertson" <paul () compuwar net>]

On Tue, 1 Jun 2004, John Adams wrote:

> Here's some tcpdump output from our network:
>
> 15:15:37.414183 tione.xxxxxxxxxx.com.smtp > xx.xxx.207.194.45323: P
> [tcp sum ok] 1:93(92) ack 1 win 5792 <nop,nop,timestamp 271042 3607425246>
> (DF) (ttl 64, id 9803, len 144)
> 0x0000   4500 0090 264b 4000 4006 4e36 d1ed e46a        E...&K@.@.N6...j
> 0x0010   3fcc cfc2 0019 b10b 8cac 048a c4e3 2986        ?.............).
> 0x0020   8018 16a0 49ea 0000 0101 080a 0004 22c2        ....I.........".
> 0x0030   d704 f0de 3232 3020 7469 6f6e 652e 7468        ....220.tione.xx
> 0x0040   6569 6e74 6572 7365 6374 696f 6e2e 636f        xxxxxxxxxxxxx.co
> 0x0050   6d20 4553 4d54 5020 5365 6e64 6d61 696c        m.ESMTP.Sendmail
> 0x0060   2038 2e31 322e 382f 382e 3132 2e38 3b20        .8.12.8/8.12.8;.
> 0x0070   5475 652c 2031 204a 756e 2032 3030 3420        Tue,.1.Jun.2004.
> 0x0080   3135 3a31 353a 3337 202d 3034 3030 0d0a        15:15:37.-0400..
>
> 15:15:37.430821 xx.xxx.207.194.45323 > tione.xxxxxxxxxx.com.smtp: P
> [tcp sum ok] 1:19(18) ack 93 win 65535 <nop,nop,timestamp 3607425246
> 271042> (DF) (ttl 48, id 708, len 70)
> 0x0000   4500 0046 02c4 4000 3006 8207 3fcc cfc2        E..F..@.0...?...
> 0x0010   d1ed e46a b10b 0019 c4e3 2986 8cac 04e6        ...j......).....
> 0x0020   8018 ffff e6d1 0000 0101 080a d704 f0de        ................
> 0x0030   0004 22c2 4548 4c4f 205b 3130 2e32 2e31        ..".EHLO.[10.2.1
> 0x0040   2e32 335d 0d0a                                 .23]..
>
> I assume that with enough time it'd be possible to map the internal
> networks of external users if you run a busy MTA - this is more of an
> information leak issue than anything else.
>
> I don't know of too many firewalls that block outbound EHLO data -- does
> anyone know of an FW that can block this type of leak?

Postfix at the application level should be able to handle it.  Ideally,
user machines shouldn't be sending SMTP directly (yes, it's more of an
issue on a Windows network though,) and you should scrub the headers at
the gateway if that's a concern for you.

Entourage also puts the e-mail address in the message-id- but Outlook
Express puts the IP address in the message-id, so that allows leakage as
well.  I'm not sure how Outlook generates message-ids, but suspect there's
some leakage stuff in there too.

There are generally enough ways to get a system to cough up its
physical address that I'm not sure it's a major issue in any case.  Ok,
you get the addresses of the desktops- you can call and get that from most
of the users, and generally, you don't need the addresses to get malcode
onto the desktops, so any piece of malware you can get run will enumerate
for you- and if they're allowed to SMTP straight out, Bob's your uncle.

One good program or installer, and you're generally in the same place.  In
general, I'm not as worried about information disclosure as I used to be,
because it really doesn't gain the attacker much that can't be gained some
other way.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
paul () compuwar net       which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards