Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Question on 663

From: Jack Pepper <pepperjack () afferentsecurity com>
Date: Thu, 09 Apr 2009 12:04:39 -0500
Quoting rmkml <rmkml () free fr>:


on bid1 discuss:
"Sendmail's debug mode allows the recipient of an email message to  
be a program that runs with the privileges of the user id which  
sendmail is running under."


right.  i got that.  bugtraq bid 1 discusses the case where sendmail  
has been compiled with the debug option enabled and some outside user  
is trying to access sendmail's "debug" command.  got it.

so back to sid 663:

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP rcpt to  
command attempt"; flow:to_server,established; content:"rcpt to|3A|";  
nocase; pcre:"/^rcpt\s+to\:\s*[|\x3b]/smi"; metadata:service smtp;  
reference:arachnids,172; reference:bugtraq,1; reference:cve,1999-0095;  
classtype:attempted-admin; sid:663; rev:15;)

this rule is *not* about debug.  it does not detect someone using the  
"debug" command.  this rule is about something else entirely.  the  
references are probably incorrect.  but i can find nothing on bugtraq  
about a sendmail exploit using the RCPT TO command.

Back in the arachnid days (this from august of 2002), sid=663 looked  
like this:

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP sendmail  
5.5.8 overflow"; flow:to_server,established; content: "|7c 73 65 64 20  
2d 65 20 27 31 2c 2f 5e 24 2f 27|";  reference:arachnids,172;  
reference:cve,CVE-1999-0095; classtype:attempted-admin; sid:663; rev:4;)

so maybe this rule has never been right.


jp









On Thu, 9 Apr 2009, Jack Pepper wrote:


Quoting rmkml <rmkml () free fr>:


maybe look:
http://www.securityfocus.com/bid/1/exploit


Yeah, that's kind of my point, eh?  bugtraq bid 1 is not an exploit  
in RCPT, it's something completely different involving an exploit  
in DEBUG.

jp


On Thu, 9 Apr 2009, Jack Pepper wrote:


This rule looks for "RCPT TO: ;"

The reference to cve,1999-0095 regards sendmail having the "debug"
command enabled. Ditto for the bugtraq,1 reference.  And arachnids has
been dead for at least 5 years.

Anybody know why this rule exists?  What is the exploitation of RCPT TO ?

jp





-- 

Framework?  I don't need no stinking framework!

----------------------------------------------------------------
@fferent Security Labs:  Isolate/Insulate/Innovate
http://www.afferentsecurity.com


------------------------------------------------------------------------------
This SF.net email is sponsored by:
High Quality Requirements in a Collaborative Environment.
Download a free trial of Rational Requirements Composer Now!
http://p.sf.net/sfu/www-ibm-com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





-- 

Framework?  I don't need no stinking framework!

----------------------------------------------------------------
@fferent Security Labs:  Isolate/Insulate/Innovate  
http://www.afferentsecurity.com





-- 

Framework?  I don't need no stinking framework!

----------------------------------------------------------------
@fferent Security Labs:  Isolate/Insulate/Innovate  
http://www.afferentsecurity.com


------------------------------------------------------------------------------
This SF.net email is sponsored by:
High Quality Requirements in a Collaborative Environment.
Download a free trial of Rational Requirements Composer Now!
http://p.sf.net/sfu/www-ibm-com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: