Snort mailing list archives

Re: Exploit? (RCPT overflow)

From: matt <mkettler () evi-inc com>
Date: Thu, 13 Jun 2002 20:26:56 -0400

Personally, that rule is so incredibly false-alert prone that I've disabled it.

It merely looks for a TCP frame going to your SMTP server which containsmore than 800 bytes of data.. Any email can easily set that off ifpipelining is used.

SMTP command pipelining allows several command lines lines to be sent as asingle packet without waiting for an OK response. Any good high-volumemailserver will try to pipeline where possible, resulting in a single TCPframe containing a series of command lines, each of which is not very long,but in aggregate easily exceed the 800 byte threshold, particularly ifthere is a large recipient list.


For more info on pipelining: http://www.faqs.org/rfcs/rfc1854.html

Since I know my mailserver is patched against such overflows, and I knowthe alert goes off at least three times a day here for various emails inthe category listed above, I find that rule to be beyond worthless.

The rule can also be misled using carefully crafted packets to ensure thatthe RCPT TO: exploit is split into multiple frames. Stream4 can re-assemblethe stream for content patterns, but it cannot total the segment length up(otherwise EVERY email would trigger this rule)


So I send one tcp frame containing:

    RCPT To: something

Then another several frames containing:

  really long that will overflow the rcpt

  to buffer within old and buggymailservers

  {insert shellcode here}

  {more shellcode}
   ...
  [cr]


Boom, rcpt to: overflow without alerting that particular snort rule.

Sorry, but IMHO that rule is worthless since it will triggered by validSMTP traffic to a large CC list in your domain, but can easily be avoidedby someone not-very-clever. Unless your mailserver doesn't supportpipelines, kill it, kill it dead.



At 04:01 PM 6/13/2002 -0700, Michael Northup wrote:

Today I'm seeing a lot of "SMTP RCPT TO overflow" alerts from a variety ofoutside sources. Is anyone else seeing the same?
Michael Northup
Burton Saw & Supply Co.



_______________________________________________________________

Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas - http://devcon.sprintpcs.com/adp/index.cfm?source=osdntextlink

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Exploit? Michael Northup (Jun 13)
- Re: Exploit? (RCPT overflow) matt (Jun 13)
- Curse of the cmd.exe Sam Evans (Jun 13)
  - Re: Curse of the cmd.exe Chris Keladis (Jun 14)
  - RE: Curse of the cmd.exe Andy McLeod (Jun 17)
- RE: Exploit? Don (Jun 13)
- <Possible follow-ups>
- RE: Exploit? Hilton De Meillon (Jun 13)
- RE: Exploit? Michael Brown (Jun 17)