Re: Real-world attacks on sendmail CA-2003-07 seen

["Curt Wilson" <netw3_security () hushmail com>]

-----BEGIN PGP SIGNED MESSAGE-----


Could "actively exploited" only mean that someone has compiled the LSD code and is launching attacks in an attempt to 
find a vulnerable systems? I'm guessing (without having tried it yet) that the exploit code, even when directed at a 
non-vulnerable system, may trigger the log alert that the patch added to sendmail. Of course it would not be too hard 
for a decent coder to modify the exploit or write their own.

If anyone actally detects a successful exploitation from this type of sendmail attack, for instance on one of your 
honeypot systems, please publicize any packet captures, tools, and any other data received in the process. I will check 
my own sendmail logs and see if I can come up with anything interesting on this front.

Curt Wilson

On Fri, 07 Mar 2003 09:37:13 -0800 Bennett Todd <bet () rahul net> wrote:
> Just a heads-up everyone, the sendmail header parsing buffer
> overflow announced this last Monday, as (among other things) CERT
> CA-2003-07[1] is now being actively exploited on the internet.
>
> We logged received msgs that triggered the truncator code this
> morning at about 3 in the morning, US/Eastern; three different
> attacks spread over two different MX hosts.

Curt R. Wilson
Netw3 Security
www.netw3.com
-----BEGIN PGP SIGNATURE-----
Version: Hush 2.2 (Java)
Note: This signature can be verified at https://www.hushtools.com/verify

wmMEARECACMFAj5sUZMcHG5ldHczX3NlY3VyaXR5QGh1c2htYWlsLmNvbQAKCRBGd/Yw
aRH3K3qCAKCSoG5ycdvkiOuP6lHWd9dMENzTwQCdEWdmTcZd0px52BmDK6GXAWdJmbE=
=myz5
-----END PGP SIGNATURE-----


----------------------------------------------------------------------------

<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure";> http://www.securityfocus.com/stillsecure </A>