[22628] in bugtraq
Re: Is there user Anna at your host ?
daemon@ATHENA.MIT.EDU (Josha Bronson)
Wed Sep 12 13:50:23 2001
Date: Wed, 12 Sep 2001 10:12:56 -0700
From: Josha Bronson <dmuz@slartibartfast.angrypacket.com>
To: "Alexander A. Kelner" <akson@tts.debryansk.ru>
Cc: bugtraq@securityfocus.com
Message-ID: <20010912101256.A16107@slartibartfast.angrypacket.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <Pine.LNX.4.33.0109121638580.7989-100000@tower.tts.debryansk.ru>; from akson@tts.debryansk.ru on Wed, Sep 12, 2001 at 06:17:41PM +0400
On Wed, Sep 12, 2001 at 06:17:41PM +0400, Alexander A. Kelner said:
> So, he can easy discover if user "anna" exists at your UNIX,
> and try to play with her password, or send her spam etc.
First off it looks like this was mentioned here:
http://archives.neohapsis.com/archives/vuln-dev/2000-q3/0094.html
> This approach allows him get nesessary info instead of disabled
> VRFY feature in your Sendmail !
>
> Apache works quickly and IMHO doesnt provide any responce delays
> for any kind of result code. So bad boy can check 1000 different
> names for very short time !
This will indeed allow you to enumerate usernames on systems that have
this feature enabled. The obvious solution is to disable this feature by
changing "UserDir public_html" (or whatever) to "UserDir disabled".
However that might not be an option in many cases.
> Sorry if I'm wrong, or this is something trivial.
Wrong? No. Trivial? Up in the air. Enumeration of user names is
definitely an important step in attacking a system, but just a username
is not going to get you very much. Also, there are a number of other
methods that could be used, like searching for '@domain.tld', VRFY in
sendmail (as you mentioned) or good old fashion finger (yes a lot of
people still run fingerd).
If you are paranoid like me, then disable it. Or just run OpenBSD, which
disables it by default.
--
josha.bronson(aka->dmuz) >> dmuz@angrypacket.com
networks/systems/security && CCNA, RHCE
josha.net || dmuz.angrypacket.com
