Full Disclosure mailing list archives
Re: TCP port 25 traffic?
From: Matthias Wabersich <ssy () niafc de>
Date: Sun, 17 Aug 2003 17:00:44 +0200
On Sat, 16 Aug 2003 15:45:09 -0700 Josh Karp <josh.karp () visionael com> wrote:
I've seen an unusual amount of connection attempts to TCP port 25 on a particular system in my network as of the past 48 hours or so. It's only this one system, and it's multiple source IP's. Is there anything new for SMTP? Thanks for any info... josh
Hello all, first post on this list *sigh*. German RUS-CERT of University of Stuttgart stated on Thu, 14 August that there is a flaw in Exim (Ver. 3.x and 4.x up to 4.20). Version 4.21 is not affected. In these versions it is possible to overflow a buffer using the HELO or EHLO command. Confirming to the post the buffer can only be overwritten with constant data that is not given by the attacker. So an exploitation of this flaw is unlikely. You can use these patches to fix up the flaw: http://www.exim.org/pipermail/exim-users/Week-of-Mon-20030811/057720.html If you are capable of reading german, here is the original post: http://CERT.Uni-Stuttgart.DE/ticker/article.php?mid=1133 As stated earlier, it is unlikely that this flaw can be exploited, but one never knows. I could not confirm any odd behaviour of exim since I am using vendor-provided versions which obviously are not affected. Greetings, M.W. (apologize my bad english if you find it to be so) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- TCP port 25 traffic? Josh Karp (Aug 16)
- Re: TCP port 25 traffic? Joel R. Helgeson (Aug 16)
- Re: TCP port 25 traffic? Matthias Wabersich (Aug 17)
- <Possible follow-ups>
- RE: TCP port 25 traffic? Josh Karp (Aug 17)