Snort Signatures for LSD-PL.NET Exploit

[Loki <loki () fatelabs com>]

List:

Myself along with Fate Research Labs is currently writing a research
paper on our analysis of several Sendmail exploit variants. We have
provided intial logfile analysis and new snort signatures herein. 

We agree with the views of Mike Poor. We do considder the use of depth
and offsets in IDS signatures to be dangerous. Once attackers start to
see IDS' looking for specific characters within the packets at a certain
depth or offset, they can simply move them to a new location within the
packet.

Our signatures haven't seemed to produce any false positives as of yet.
Our paper will be released shortly from here at SANS 2003.

Please send any suggested revisions to our signatures to
loki () fatelabs com.

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
/var/log/snort/alert
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


[**] [1:2087:1] LSD-PL.NET Sendmail Buffer Overflow (1) [**]
[Classification: Attempted Administrator Privilege Gain] [Priority: 1]
03/10-15:56:03.665137 0:0:0:0:0:0 -> 0:0:0:0:0:0 type:0x800 len:0x17F
127.0.0.1:34325 -> 127.0.0.1:25 TCP TTL:64 TOS:0x0 ID:8954 IpLen:20
DgmLen:369 DF
***AP*** Seq: 0x9097CD8D  Ack: 0x90BD0AEE  Win: 0x7FFF  TcpLen: 32
TCP Options (3) => NOP NOP TS: 1306553 1306553
[Xref => cve CAN-2002-1337]

[**] [1:2087:1] LSD-PL.NET Sendmail Buffer Overflow (2) [**]
[Classification: Attempted Administrator Privilege Gain] [Priority: 1]
03/10-15:56:03.665878 0:0:0:0:0:0 -> 0:0:0:0:0:0 type:0x800 len:0x841
127.0.0.1:34325 -> 127.0.0.1:25 TCP TTL:64 TOS:0x0 ID:8956 IpLen:20
DgmLen:2099 DF
***AP*** Seq: 0x9097CED9  Ack: 0x90BD0AEE  Win: 0x7FFF  TcpLen: 32
TCP Options (3) => NOP NOP TS: 1306553 1306553
[Xref => cve CAN-2002-1337]



++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
/var/log/maillog
***********************************************************************
Mar 11 00:33:53 victim sendmail[313]: h2B5Xmm00313: SYSERR: putoutmsg
(attacker): error on output channel sending "503 5.0.0 Need MAIL before
RCPT": Broken pipe
Mar 11 00:33:53 victim sendmail[317]: h2B5Xrm00316: Dropped invalid
comments from header address
Mar 11 00:33:53 victim sendmail[317]: h2B5Xrm00316: SYSERR(root):
Infinite loop in ruleset canonify, rule 16
Mar 11 00:33:54 victim sendmail[317]: h2B5Xrm00316: to=root,
delay=00:00:01, xdelay=00:00:01, mailer=local, pri=32057, dsn=2.0.0,
stat=Sent
Mar 11 00:34:27 victim sendmail[327]: h2B5YRm00327:
from=anonymous () yahoo com, size=2380, class=0, nrcpts=1,
msgid=<200303110534.h2B5YRm00327 () victim net>, proto=SMTP, daemon=MTA,
relay=attacker [67.94.234.199]
Mar 11 00:34:27 victim sendmail[328]: h2B5YRm00327: Dropped invalid
comments from header address
Mar 11 00:34:27 victim sendmail[328]: h2B5YRm00327: SYSERR(root):
Infinite loop in ruleset canonify, rule 16
Mar 11 00:34:27 victim sendmail[328]: h2B5YRm00327: to=root,
delay=00:00:00, xdelay=00:00:00, mailer=local, pri=32057, dsn=2.0.0,
stat=Sent


+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
SNORT signatures from research
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


alert tcp any any > $SMTP_SERVERS 25 (msg:"LSD-PL.NET Sendmail Buffer
Overflow (1)";\
flow: to_server; content:"|3C 3E 3C 3E 3C 3E 3C 3E 3C 3E 3C 3E 3C 3E|";\
flag: A+; nocase;reference:cve,CAN-2002-1337;\
classtype:attempted-admin; sid:2087;rev:1;)


alert tcp any any > $SMTP_SERVERS 25 (msg:"LSD-PL.NET Sendmail Buffer
Overflow (2)";\
flow: to_server; content:"|68 2F 2F 73 68 68 2F 62 69 6E 54 5B 50 53 54
59|";\
flag: A+; nocase;reference:cve,CAN-2002-1337;\
classtype:attempted-admin; sid:2087;rev:1;)




-- 
Loki <loki () fatelabs com>
Internet Warfare and Intelligence
Fate Research Labs, USA
http://www.fatelabs.com



----------------------------------------------------------------------------

<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure";> http://www.securityfocus.com/stillsecure </A>