Snort mailing list archives
Re: Rule for sendmail-exploit
From: "Elvir Crnic" <elvir.crnic () abnamro nl>
Date: Wed, 5 Mar 2003 14:30:30 +0100
Try this from snort-signature mailing list From: "Kreimendahl, Chad J" <Chad.Kreimendahl () umb com> To: "Joe Stewart" <jstewart () lurhq com>, <snort-sigs () lists sourceforge net>, <intrusions () incidents org> Date: Tue, 4 Mar 2003 14:40:34 -0600 Could this not be rewritted to be less specific to the type of fields that are being used? Such as: content:"\: |3c3e 3c3e 3c3e 3c3e 3c3e 3c3e 3c3e 3c3e|"; and does this mean that the current rule in CVS for this vulnerability should be changed to not only match for From:? -----Original Message----- From: Joe Stewart [mailto:jstewart () lurhq com]=20 Sent: Tuesday, March 04, 2003 1:23 PM To: snort-sigs () lists sourceforge net; intrusions () incidents org Subject: [Snort-sigs] Sendmail crackaddr header overflow sigs I wrote and tested the signatures below based on the LSD proof-of-concept code, but I've expanded them to make them less specific to a particular implementation. An exploit for this vulnerability can utilize any header field marked internally by sendmail as having the H_FROM flag set. According to the sendmail source, these fields are: Resent-Sender: Resent-From: Resent-Reply-To: Sender: From: Reply-To: Errors-To: I therefore propose the following signatures to detect the overflow attempt: alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"EXPLOIT Sendmail=20 crackaddr overflow"; flow: to_server; content:"Sender\: |3c3e 3c3e 3c3e 3c3e=20 3c3e 3c3e 3c3e 3c3e|"; nocase; reference:cve,CAN-2002-1337;=20 classtype:attempted-admin; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"EXPLOIT Sendmail=20 crackaddr overflow"; flow: to_server; content:"From\: |3c3e 3c3e 3c3e 3c3e=20 3c3e 3c3e 3c3e 3c3e|"; nocase; reference:cve,CAN-2002-1337;=20 classtype:attempted-admin; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"EXPLOIT Sendmail=20 crackaddr overflow"; flow: to_server; content:"Reply-To\: |3c3e 3c3e 3c3e=20 3c3e 3c3e 3c3e 3c3e 3c3e|"; nocase; reference:cve,CAN-2002-1337;=20 classtype:attempted-admin; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"EXPLOIT Sendmail=20 crackaddr overflow"; flow: to_server; content:"Errors-To\: |3c3e 3c3e 3c3e=20 3c3e 3c3e 3c3e 3c3e 3c3e|"; nocase; reference:cve,CAN-2002-1337;=20 classtype:attempted-admin; rev:1;) -Joe --=20 Joe Stewart, GCIH=20 Senior Intrusion Analyst LURHQ Corporation http://www.lurhq.com/ ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Rule for sendmail-exploit Joerg Weber (Mar 05)
- Re: Rule for sendmail-exploit Elvir Crnic (Mar 05)