Multiple Mail Server EXPN/VRFY Information Disclosure - Nessus

Medium   Plugin ID: 10249

---

This page contains detailed information about the Multiple Mail Server EXPN/VRFY Information Disclosure Nessus plugin including available exploits and PoCs found on GitHub, in Metasploit or Exploit-DB for verifying of this vulnerability.

Plugin Overview

---

ID: 10249
Name: Multiple Mail Server EXPN/VRFY Information Disclosure
Filename: sendmail_expn.nasl
Vulnerability Published: 1982-08-01
This Plugin Published: 1999-06-22
Last Modification Time: 2018-08-13
Plugin Version: 1.59
Plugin Type: remote
Plugin Family: SMTP problems
Dependencies: find_service1.nasl, smtpserver_detect.nasl

Vulnerability Information

---

Severity: Medium
Vulnerability Published: 1982-08-01
Patch Published: N/A
CVE [?]: N/A
CPE [?]: N/A

Synopsis

It is possible to enumerate the names of valid users on the remote host.

Description

The remote SMTP server answers to the EXPN and/or VRFY commands.

The EXPN command can be used to find the delivery address of mail aliases, or even the full name of the recipients, and the VRFY command may be used to check the validity of an account.

Your mailer should not allow remote users to use any of these commands, because it gives them too much information.

Solution

If you are using Sendmail, add the option :

O PrivacyOptions=goaway

in /etc/sendmail.cf.

Public Exploits

---

Target Network Port(s): 25
Target Asset(s): Services/smtp
Exploit Available: True (Metasploit Framework)
Exploit Ease: Exploits are available

Here's the list of publicly known exploits and PoCs for verifying the Multiple Mail Server EXPN/VRFY Information Disclosure vulnerability:

1. Metasploit: auxiliary/scanner/smtp/smtp_enum
   [SMTP User Enumeration Utility]

Before running any exploit against any system, make sure you are authorized by the owner of the target system(s) to perform such activity. In any other case, this would be considered as an illegal activity.

Risk Information

---

CVSS V2 Vector [?]: AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS Base Score:	5.0 (Medium)
Impact Subscore:	2.9
Exploitability Subscore:	10.0
CVSS Temporal Score:	NA (None)
CVSS Environmental Score:	NA (None)
Modified Impact Subscore:	NA
Overall CVSS Score:	5.0 (Medium)

Go back to menu.

Plugin Source

---

This is the sendmail_expn.nasl nessus plugin source code. This script is Copyright (C) 1999-2018 Tenable Network Security, Inc.

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
 script_id(10249);
 script_version("1.59");
 script_cvs_date("Date: 2018/08/13 14:32:38");


 script_name(english:"Multiple Mail Server EXPN/VRFY Information Disclosure");
 script_summary(english:"EXPN and VRFY checks");

 script_set_attribute(attribute:"synopsis", value:
"It is possible to enumerate the names of valid users on the remote
host.");
 script_set_attribute(attribute:"description", value:
"The remote SMTP server answers to the EXPN and/or VRFY commands.

The EXPN command can be used to find the delivery address of mail
aliases, or even the full name of the recipients, and the VRFY command
may be used to check the validity of an account.

Your mailer should not allow remote users to use any of these
commands, because it gives them too much information.");
 script_set_attribute(attribute:"solution", value:
"If you are using Sendmail, add the option :

 O PrivacyOptions=goaway

in /etc/sendmail.cf.");
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_set_attribute(attribute:"metasploit_name", value:'SMTP User Enumeration Utility');
 script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

 script_set_attribute(attribute:"vuln_publication_date", value:"1982/08/01");
 script_set_attribute(attribute:"plugin_publication_date", value:"1999/06/22");

 script_set_attribute(attribute:"plugin_type", value:"remote");
 script_end_attributes();

 script_category(ACT_GATHER_INFO);
 script_copyright(english:"This script is Copyright (C) 1999-2018 Tenable Network Security, Inc.");
 script_family(english:"SMTP problems");

 script_dependencies("find_service1.nasl", "smtpserver_detect.nasl");
 script_require_ports("Services/smtp", 25);
 exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("smtp_func.inc");

port = get_service(svc:"smtp", default:25, exit_on_fail:1);
if (get_kb_item('SMTP/'+port+'/broken')) exit(0, "The SMTP server listening on port "+port+" is broken.");

soc = open_sock_tcp(port);
if (!soc) audit(AUDIT_SOCK_FAIL, port);

b = smtp_recv_banner(socket:soc);
if (!b) audit(AUDIT_NO_BANNER, port);
trace = '\n  ' + chomp(b);

s = 'HELO example.com';
send(socket:soc, data:s+'\r\n');
r = smtp_recv_line(socket:soc);
trace += '\n  ' + s +
         '\n  ' + chomp(r);

vuln = 0;

s = 'EXPN root';
send(socket:soc, data:s+'\r\n');
expn_root = r = smtp_recv_line(socket:soc);
trace_expn = '\n  ' + s +
             '\n  ' + chomp(r);

# Some Postfix reply as follow:
#
# 220-localhost.localhost ESMTP Postfix
# HELO there
# 220 localhost.localhost ESMTP Postfix
# 250 localhost.localhost
# EXPN root
# 502 5.5.2 Error: command not recognized
#
if ( r =~ "^250 " )
{
  r2 = smtp_recv_line(socket:soc);
  if (r2)
  {
    expn_root = r = r2;
    trace_expn += '\n  ' + chomp(r2);
  }
}

if (
  ereg(string:r, pattern:"^(250|550)(-| ).*$") &&
  # exim hack
  !ereg(string:r, pattern:"^550 EXPN not available.*$") &&
  !ereg(string:r, pattern:"^550.*Administrative prohibition.*$") &&
  !ereg(string:r, pattern:"^550.*Access denied.*$") &&
  # QHMail 4.6.3.1
  !ereg(string:r, pattern:"^550 lists are confidential.*$") &&
  # PMDF MTA
  !ereg(string:r, pattern:"^550.* EXPN command has been disabled\.$") &&
  !ereg(string:r, pattern:"^550.*EXPN")
)
{
  # nb: check for a bogus account to avoid false positives; eg,
  #     Postfix with EXPN in 'smtpd_noop_commands'.
  if (report_paranoia < 2)
  {
    s2 = 'EXPN random' + rand();
    send(socket:soc, data:s2+'\r\n');
    r2 = smtp_recv_line(socket:soc);

    trace_expn += '\n  ' + s2 +
                  '\n  ' + chomp(r2);
  }
  else r2 = s2 = NULL;

  if (
    isnull(s2) ||
    (
      ereg(string:r2, pattern:"^(250|550)(-| ).*$") &&
      substr(expn_root, 0, 2) != substr(r2, 0, 2)
    )
  )
  {
    trace += trace_expn;

    set_kb_item(name:"SMTP/expn", value:TRUE);
    vuln++;
  }
}

s = 'VRFY root';
send(socket:soc, data:s+'\r\n');
vrfy_root = r = smtp_recv_line(socket:soc);
trace_vrfy = '\n  ' + s +
             '\n  ' + chomp(r);

if (ereg(string:r, pattern:"^(250|550)(-| ).*$"))
{
  if (report_paranoia < 2)
  {
    s2 = 'VRFY random' + rand();
    send(socket:soc, data:s2+'\r\n');
    r2 = smtp_recv_line(socket:soc);

    trace_vrfy += '\n  ' + s2 +
                  '\n  ' + chomp(r2);
  }
  else r2 = s2 = NULL;

  if (
    isnull(s2) ||
    (
      ereg(string:r2, pattern:"^(250|550)(-| ).*$") &&
      substr(vrfy_root, 0, 2) != substr(r2, 0, 2)
    )
  )
  {
    trace += trace_vrfy;

    set_kb_item(name:"SMTP/vrfy", value:TRUE);
    vuln++;
  }
}
smtp_close(socket:soc);


if (vuln > 0)
{
  if (report_verbosity > 0)
  {
    report = '\n' + 'Here is a trace of the SMTP traffic that demonstrates the issue';
    if (vuln > 1) report += 's';
    report += ' : ' +
              '\n' + trace +
              '\n';
    security_warning(port:port, extra:report);
  }
  else security_warning(port);
}
else exit(0, "The SMTP server listening on port "+port+" is not affected.");

The latest version of this script can be found in these locations depending on your platform:

• Linux / Unix:
  /opt/nessus/lib/nessus/plugins/sendmail_expn.nasl
• Windows:
  C:\ProgramData\Tenable\Nessus\nessus\plugins\sendmail_expn.nasl
• Mac OS X:
  /Library/Nessus/run/lib/nessus/plugins/sendmail_expn.nasl

Go back to menu.

How to Run

---

Here is how to run the Multiple Mail Server EXPN/VRFY Information Disclosure as a standalone plugin via the Nessus web user interface (https://localhost:8834/):

1. Click to start a New Scan.
2. Select Advanced Scan.
3. Navigate to the Plugins tab.
4. On the top right corner click to Disable All plugins.
5. On the left side table select SMTP problems plugin family.
6. On the right side table select Multiple Mail Server EXPN/VRFY Information Disclosure plugin ID 10249.
7. Specify the target on the Settings tab and click to Save the scan.
8. Run the scan.

Here are a few examples of how to run the plugin in the command line. Note that the examples below demonstrate the usage on the Linux / Unix platform.

Basic usage:

/opt/nessus/bin/nasl sendmail_expn.nasl -t <IP/HOST>

Run the plugin with audit trail message on the console:

/opt/nessus/bin/nasl -a sendmail_expn.nasl -t <IP/HOST>

Run the plugin with trace script execution written to the console (useful for debugging):

/opt/nessus/bin/nasl -T - sendmail_expn.nasl -t <IP/HOST>

Run the plugin with using a state file for the target and updating it (useful for running multiple plugins on the target):

/opt/nessus/bin/nasl -K /tmp/state sendmail_expn.nasl -t <IP/HOST>

Go back to menu.

References

---

See also:

• https://www.tenable.com/plugins/nessus/10249
• https://vulners.com/nessus/SENDMAIL_EXPN.NASL

Similar and related Nessus plugins:

• 11499 - Sendmail < 8.12.9 NOCHAR Control Value prescan Overflow
• 10247 - Sendmail DEBUG/WIZ Remote Command Execution
• 11316 - Sendmail headers.c crackaddr Function Address Field Handling Remote Overflow
• 11838 - Sendmail < 8.12.10 prescan() Function Remote Overflow
• 49217 - Multiple Switch Vendors '__super' Account Backdoor
• 44937 - Multiple Adobe Products XML External Entity (XXE) Injection (APSB10-05)
• 49003 - Multiple Vulnerabilities in the IOS FTP Server
• 49017 - Multiple Cisco Products Vulnerable to DNS Cache Poisoning Attacks
• 139545 - Multiple Vulnerabilities in Treck IP Stack Affecting Cisco Products: June 2020 (cisco-sa-treck-ip-stack-JyBQ5GyC)
• 11748 - Multiple Dangerous CGI Script Detection
• 33447 - Multiple Vendor DNS Query ID Field Prediction Cache Poisoning
• 11197 - Multiple Ethernet Driver Frame Padding Information Disclosure (Etherleak)
• 10821 - Multiple FTPD glob Command Arbitrary Command Execution
• 10084 - Multiple FTP Server Command Handling Overflow
• 123520 - Multiple Command Injection Vulnerabilities in Grandstream Products
• 124173 - Multiple Command Injection Vulnerabilities in Grandstream Products
• 10930 - Multiple Web Server on Windows MS/DOS Device Request Remote DOS
• 11337 - Multiple Linux rpc.mountd Remote Overflow
• 10176 - Multiple Vendor phf CGI Arbitrary Command Execution
• 40449 - Multiple Vendor HMAC Authentication SNMPv3 Authentication Bypass
• 10282 - Multiple Vendor test-cgi Arbitrary File Access
• 11136 - Multiple OS /bin/login Remote Overflow
• 80475 - Multiple Slider Plugins for WordPress 'img' Parameter Local File Inclusion Vulnerability
• 31683 - Multiple Vendor NIS rpc.ypupdated YP Map Update Arbitrary Remote Command Execution

Version

---

This page has been produced using Nessus Professional 10.1.2 (#68) LINUX, Plugin set 202205072148.
Plugin file sendmail_expn.nasl version 1.59. For more plugins, visit the Nessus Plugin Library.

Go back to menu.