Re: ISS Proventia email overflow

["David Maynor" <dmaynor () gmail com>]

What is contained in that email? Specifically that check is looking
for strings that could be used as the payload in a buffer overflow.
There is always a chance of positives but I would love to see what
kinda of legit email contains characters that could be translated to
machine code in a useful fashion.

On Nov 19, 2007 5:28 PM, Albert R. Campa <abcampa () gmail com> wrote:
> Hi guys,
>
> I am getting spurts of events trigerred by ISS Proventia, with the
> following vuln description:
> Vulnerability description
> In buffer overflow attacks, an attacker supplies data that is longer
> than the available space to hold it. For stack allocated variables,
> this usually means the attacker can corrupt other variables and
> eventually modify the code that is executed when the function in which
> the overflow occurs ends.
>
> http://www.iss.net/security_center/reference/vuln/EMail_Generic_Intel_Overflow.htm
>
> They are from a trusted mail server so its not being blocked.
>
> Do you think this is just a true false positive or is this trusted
> mail server sending bad packets?
>
> ------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it
> with real-world attacks from CORE IMPACT.
> Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
> to learn more.
> ------------------------------------------------------------------------

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------