|
Security Incidents
mailing list archives
Re: Real-world attacks on sendmail CA-2003-07 seen
From: "james" <jamesh () cybermesa com>
Date: Mon, 10 Mar 2003 13:08:06 -0700
Here are some Snort sigs for the Sendmail exploit, YVMV:
###################
# Sendmail Exploit#
###################
alert tcp any any -> $HOME_NET 25 (sid:2087; msg: "Sendmail Buffer\
overflow"; flow:established; content:"|2f73 6868 2f62 696e 545b 5053 5459 31d2|";)
alert tcp any any -> $SMTP_SERVERS 25 (msg:"SMTP EXPLOIT Sendmail crackaddr overflow A";\
flow:to_server,established; content:"From\:"; content:"<><><><><><><><><><><><><><><><><><><><><><>";\
distance:0; content:"("; distance:1; content:")"; distance:1;reference:cve,CAN-2002-1337;\
reference:url,www.kb.cert.org/vuls/id/398025; classtype:attempted-admin; sid:2087; rev:2;)
alert tcp any any -> $SMTP_SERVERS 25 (msg:"SMTP EXPLOIT Sendmail crackaddr overflow A";\
flow:to_server,established; content:"Sender\:"; content:"<><><><><><><><><><><><><><><><><><><><><><>";\
distance:0; content:"("; distance:1; content:")"; distance:1;reference:cve,CAN-2002-1337;\
reference:url,www.kb.cert.org/vuls/id/398025; classtype:attempted-admin; sid:2087; rev:2;)
alert tcp any any -> $SMTP_SERVERS 25 (msg:"SMTP EXPLOIT Sendmail crackaddr overflow A";\
flow:to_server,established; content:"Reply-To\:"; content:"<><><><><><><><><><><><><><><><><><><><><><>";\
distance:0; content:"("; distance:1; content:")"; distance:1;reference:cve,CAN-2002-1337;\
reference:url,www.kb.cert.org/vuls/id/398025; classtype:attempted-admin; sid:2087; rev:2;)
alert tcp any any -> $SMTP_SERVERS 25 (msg:"SMTP EXPLOIT Sendmail crackaddr overflow A";\
flow:to_server,established; content:"Errors-To\:"; content:"<><><><><><><><><><><><><><><><><><><><><><>";\
distance:0; content:"("; distance:1; content:")"; distance:1;reference:cve,CAN-2002-1337;\
reference:url,www.kb.cert.org/vuls/id/398025; classtype:attempted-admin; sid:2087; rev:2;)
alert tcp any any -> $SMTP_SERVERS 25 (msg:"SMTP EXPLOIT Sendmail crackaddr overflow A1";\
flow:to_server,established; content:"<><><><><><><><><><><><><><><><><><><><><><>";\
distance:0; content:"("; distance:1; content:")"; distance:1;reference:cve,CAN-2002-1337;\
reference:url,www.kb.cert.org/vuls/id/398025; classtype:attempted-admin; sid:2087; rev:2;)
alert tcp any any -> $SMTP_SERVERS 25 (msg:"SMTP EXPLOIT Sendmail crackaddr overflow B";\
flow: to_server;content:"|3c3e28|"; nocase;reference:cve,CAN-2002-1337;classtype:attempted-admin; sid:2087;rev:1;)
alert tcp any any -> $SMTP_SERVERS 25 (msg:"SMTP EXPLOIT Sendmail crackaddr overflow C";\
flow: to_server; content:"Sender\: |3c3e 3c3e 3c3e 3c3e 3c3e 3c3e 3c3e 3c3e|"; nocase; reference:cve,CAN-2002-1337;\
classtype:attempted-admin; sid:2087;rev:3;)
alert tcp any any -> $SMTP_SERVERS 25 (msg:"SMTP EXPLOIT Sendmail crackaddr overflow D";\
flow: to_server; content:"From\: |3c3e 3c3e 3c3e 3c3e\
3c3e 3c3e 3c3e 3c3e|"; nocase; reference:cve,CAN-2002-1337;\
classtype:attempted-admin; sid:2087;rev:4;)
alert tcp any any -> $SMTP_SERVERS 25 (msg:"SMTP EXPLOIT Sendmail crackaddr overflow E";\
flow: to_server; content:"Reply-To\: |3c3e 3c3e 3c3e\
3c3e 3c3e 3c3e 3c3e 3c3e|"; nocase; reference:cve,CAN-2002-1337;\
classtype:attempted-admin; sid:2087;rev:5;)
alert tcp any any -> $SMTP_SERVERS 25 (msg:"SMTP EXPLOIT Sendmail crackaddr overflow F";\
flow: to_server; content:"Errors-To\: |3c3e 3c3e 3c3e\
3c3e 3c3e 3c3e 3c3e 3c3e|"; nocase; reference:cve,CAN-2002-1337;\
classtype:attempted-admin; sid:2087;rev:6;)
----------------------------------------------------------------------------
<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure";> http://www.securityfocus.com/stillsecure </A>
 By Date 
By Thread
Current thread:
- Re: Real-world attacks on sendmail CA-2003-07 seen, (continued)
Re: Real-world attacks on sendmail CA-2003-07 seen Curt Wilson (Mar 10)
RE: Real-world attacks on sendmail CA-2003-07 seen Barry Kokotailo (Mar 10)
|
Intro
