Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Rule for sendmail-exploit

From: "Elvir Crnic" <elvir.crnic () abnamro nl>
Date: Wed, 5 Mar 2003 14:30:30 +0100
Try this from snort-signature mailing list

From: "Kreimendahl, Chad J" <Chad.Kreimendahl () umb com>
To: "Joe Stewart" <jstewart () lurhq com>, <snort-sigs () lists sourceforge net>,
        <intrusions () incidents org>
Date: Tue, 4 Mar 2003 14:40:34 -0600


Could this not be rewritted to be less specific to the type of fields
that are being used?

Such as:

content:"\: |3c3e 3c3e 3c3e 3c3e 3c3e 3c3e 3c3e 3c3e|";

and does this mean that the current rule in CVS for this vulnerability
should be changed to not only match for From:?

-----Original Message-----
From: Joe Stewart [mailto:jstewart () lurhq com]=20
Sent: Tuesday, March 04, 2003 1:23 PM
To: snort-sigs () lists sourceforge net; intrusions () incidents org
Subject: [Snort-sigs] Sendmail crackaddr header overflow sigs


I wrote and tested the signatures below based on the LSD
proof-of-concept
code, but I've expanded them to make them less specific to a particular
implementation. An exploit for this vulnerability can utilize any header
field
marked internally by sendmail as having the H_FROM flag set. According
to the
sendmail source, these fields are:

Resent-Sender:
Resent-From:
Resent-Reply-To:
Sender:
From:
Reply-To:
Errors-To:

I therefore propose the following signatures to detect the overflow
attempt:

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"EXPLOIT Sendmail=20
crackaddr overflow"; flow: to_server; content:"Sender\: |3c3e 3c3e 3c3e
3c3e=20
3c3e 3c3e 3c3e 3c3e|"; nocase; reference:cve,CAN-2002-1337;=20
classtype:attempted-admin; rev:1;)

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"EXPLOIT Sendmail=20
crackaddr overflow"; flow: to_server; content:"From\: |3c3e 3c3e 3c3e
3c3e=20
3c3e 3c3e 3c3e 3c3e|"; nocase; reference:cve,CAN-2002-1337;=20
classtype:attempted-admin; rev:1;)

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"EXPLOIT Sendmail=20
crackaddr overflow"; flow: to_server; content:"Reply-To\: |3c3e 3c3e
3c3e=20
3c3e 3c3e 3c3e 3c3e 3c3e|"; nocase; reference:cve,CAN-2002-1337;=20
classtype:attempted-admin; rev:1;)

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"EXPLOIT Sendmail=20
crackaddr overflow"; flow: to_server; content:"Errors-To\: |3c3e 3c3e
3c3e=20
3c3e 3c3e 3c3e 3c3e 3c3e|"; nocase; reference:cve,CAN-2002-1337;=20
classtype:attempted-admin; rev:1;)


-Joe

--=20
Joe Stewart, GCIH=20
Senior Intrusion Analyst
LURHQ Corporation
http://www.lurhq.com/






-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: