Security Incidents mailing list archives

Re: Possible Mail server compromise ?

From: "Faas M. Mathiasen" <faas.m.mathiasen () googlemail com>
Date: Wed, 20 Feb 2008 20:25:51 +0100

Dear Bob,

I don't want to start a flame war, let's keep the information relevant
and on topic, as such I'd like
to comment on things relevant to the general public, everything else
is private mail. :) ok?

It goes without saying that patching does not protect against zero day
exploits.

:)

I don't understand what you are saying.  I am assuming that the nruns.com
product is scanning for viruses in email.

Hmm, I am not sure you (or I) got it right, but apparently they don't parse
the data. So basically if they don't parse it they are a lot less vulnerable
to remote attacks, agree?

Thus, the data (the email)
can be manipulated by the attacker.

See above, as I understand it, there is no parsing involved a part
from your normal FROM etc headers.
Attachments that normally contain the payloads (read lots of formats)
are usually

"No-Parsing paradigma"?  Paradigma isn't even a word (according to
www.merriam-webster.com).

You are referring to a typo instead of commenting on my concern,  lets
keep the mails relevant
for the general public, if your comment was sincere : you should
lookup "paradigm"

Our product (and to various degrees others, such as raw ClamAV) also run
in a "sealed" environment such as a separate UID, chroot'ed, etc.

I beg to differ, chroot is by no means a "sealed" environment. There
are lots of ways to break out of it...

No, ClamAV would not be vulnerable to this ...

What I posted here was an exploit against Clamav
http://milw0rm.com/exploits/4761

Regards,
Faas.M.Mathiasen

Current thread:

Re: Possible Mail server compromise ?, (continued)
- - - Re: Possible Mail server compromise ? Gary Baribault (Feb 04)
    - Re: Possible Mail server compromise ? Faas M. Mathiasen (Feb 04)
- Re: Possible Mail server compromise ? Faas M. Mathiasen (Feb 12)
  - Re: Possible Mail server compromise ? Michael Loftis (Feb 13)
  - Re: Possible Mail server compromise ? Jon Oberheide (Feb 13)
  - Re: Possible Mail server compromise ? Faas M. Mathiasen (Feb 19)
    - Re: Possible Mail server compromise ? Bob Toxen (Feb 19)
    - Re: Possible Mail server compromise ? Faas M. Mathiasen (Feb 19)
    - Re: Possible Mail server compromise ? Valdis . Kletnieks (Feb 20)
    - Re: Possible Mail server compromise ? Bob Toxen (Feb 20)
    - Re: Possible Mail server compromise ? Faas M. Mathiasen (Feb 20)
    - Re: Possible Mail server compromise ? Eygene Ryabinkin (Feb 20)
    - Re: Possible Mail server compromise ? Faas M. Mathiasen (Feb 20)
    - Re: Possible Mail server compromise ? Valdis . Kletnieks (Feb 20)
    - Re: Possible Mail server compromise ? Faas M. Mathiasen (Feb 21)
    - Re: Possible Mail server compromise ? Paul Schmehl (Feb 21)
    - Re: Possible Mail server compromise ? Jon Oberheide (Feb 20)
    - Re: Possible Mail server compromise ? Valdis . Kletnieks (Feb 20)
    - Re: Possible Mail server compromise ? Faas M. Mathiasen (Feb 20)
    - Re: Possible Mail server compromise ? Peter Kosinar (Feb 20)
    - Re: Possible Mail server compromise ? Faas M. Mathiasen (Feb 21)

(Thread continues...)