[22561] in bugtraq
Microsoft Exchange + Norton AntiVirus leak local information
daemon@ATHENA.MIT.EDU (Matthias Andree)
Fri Sep 7 14:08:56 2001
Date: Fri, 7 Sep 2001 11:46:02 +0200
From: Matthias Andree <matthias.andree@gmx.de>
To: bugtraq@securityfocus.com
Message-ID: <20010907114602.A9576@emma1.emma.line.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Intro: I usually attach three lines similar to these in my signature:
| Outlook (Express) users: press Ctrl+F3 for the full source code of this post.
| begin dont_click_this_virus.exe
| end
In the original, I have two spaces after "begin" which tricks broken
Microsoft software (they still haven't grasped MIME!) into thinking it's
a uuencoded attachment.
Note we're not discussing the political correctness of my signature here.
I recently got a message from an Exchange V6.0.4712.0 site running
Norton Antivirus, which revealed information on where the user filtered
its mailing list to:
| Recipient of the infected attachment: USERNAME DELETED\Posteingang\Mailinglisten\Postfix Users
| Subject of the message: Postfix and interface address aliases on Linux
| One or more attachments were quarantined.
| Attachment dont_click_this_virus.exe was Quarantined for the following
| reasons:
| Virus UNAUTHORIZED FILE was found.
I believe I'm not supposed to see the
"...\Posteingang\Mailinglisten\Postfix Users" part. (Posteingang is
usually named INBOX in English) I had expected the destination mail
address there.
I cannot tell whether this is an Norton AntiVirus bug or an Exchange
bug.
Needless to say that the egocentric Exchange sent a winmail.dat
attachment.
--
Matthias Andree
