Re: sendmail 8.12.8 available

[Nico Erfurth <masta () perlgolf de>]

Florian Weimer wrote:
> Claus Assmann <ca+bugtraq () sendmail org> writes:
>
>
> > Sendmail, Inc., and the Sendmail Consortium announce the availability
> > of sendmail 8.12.8.  It contains a fix for a critical security
> > problem discovered by Mark Dowd of ISS X-Force; we thank ISS X-Force
> > for bringing this problem to our attention.  Sendmail urges all users to
> > either upgrade to sendmail 8.12.8 or apply the patch for 8.12 that
> > is part of this announcement.
>
>
> Would people be willing to share filter rules for other MTAs to block
> offending messages on relays?
>
> Thanks,

I'm not sure how the exploit works, but if I understood the LSD-analysis 
correctly, it uses the comment for the payload, and needs many <> in a 
parsed header. With exim4, this ACL should/could help.

First it checks for the header-syntax, that will reject the <><><><> 
used in the LSD-POC-code. The second condition should refuse to accept 
comments longer than 20 chars.

acl_data = check_message

check_message:
  require message = Invalid header syntax (Maybe sendmail exploit)
          verify  = header_syntax
  deny    message = Ohh, this looks like the sendmail-exploit
          condition = ${if match {$h_from: $h_cc: $h_bcc: $h_reply_to: \
                             $h_sender: $h_to:} {\N\(.{21,}?\)\N}{1}{0}}


No warranty ;)

Nico Erfurth