-----BEGIN PGP SIGNED MESSAGE-----
Could "actively exploited" only mean that someone has compiled the LSD code and is launching attacks in an attempt to find a vulnerable systems? I'm guessing (without having tried it yet) that the exploit code, even when directed at a non-vulnerable system, may trigger the log alert that the patch added to sendmail. Of course it would not be too hard for a decent coder to modify the exploit or write their own.
If anyone actally detects a successful exploitation from this type of sendmail attack, for instance on one of your honeypot systems, please publicize any packet captures, tools, and any other data received in the process. I will check my own sendmail logs and see if I can come up with anything interesting on this front.
Curt Wilson
On Fri, 07 Mar 2003 09:37:13 -0800 Bennett Todd <bet_at_rahul.net> wrote:
>Just a heads-up everyone, the sendmail header parsing buffer
>overflow announced this last Monday, as (among other things) CERT
>CA-2003-07[1] is now being actively exploited on the internet.
>
>We logged received msgs that triggered the truncator code this
>morning at about 3 in the morning, US/Eastern; three different
>attacks spread over two different MX hosts.
>
Curt R. Wilson
Netw3 Security
www.netw3.com
-----BEGIN PGP SIGNATURE-----
Version: Hush 2.2 (Java)
Note: This signature can be verified at https://www.hushtools.com/verify
wmMEARECACMFAj5sUZMcHG5ldHczX3NlY3VyaXR5QGh1c2htYWlsLmNvbQAKCRBGd/Yw
aRH3K3qCAKCSoG5ycdvkiOuP6lHWd9dMENzTwQCdEWdmTcZd0px52BmDK6GXAWdJmbE=
=myz5
-----END PGP SIGNATURE-----
----------------------------------------------------------------------------
<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>
Received on Mar 10 2003
Intro
