Re: TCP port 25 traffic?

[Matthias Wabersich <ssy () niafc de>]

On Sat, 16 Aug 2003 15:45:09 -0700
Josh Karp <josh.karp () visionael com> wrote:

> I've seen an unusual amount of connection attempts to TCP port 25 on a
> particular system in my network as of the past 48 hours or so. It's only
> this one system, and it's multiple source IP's. Is there anything new for
> SMTP? 
>
> Thanks for any info... josh 
Hello all,

first post on this list *sigh*.
German RUS-CERT of University of Stuttgart stated on Thu, 14 August that there is a flaw in Exim (Ver. 3.x and 4.x up 
to 4.20). Version 4.21 is not affected. In these versions it is possible to overflow a buffer using the HELO or EHLO 
command.

Confirming to the post the buffer can only be overwritten with constant data that is not given by the attacker. So an 
exploitation of this flaw is unlikely.

You can use these patches to fix up the flaw: 

http://www.exim.org/pipermail/exim-users/Week-of-Mon-20030811/057720.html


If you are capable of reading german, here is the original post:

http://CERT.Uni-Stuttgart.DE/ticker/article.php?mid=1133


As stated earlier, it is unlikely that this flaw can be exploited, but one never knows. I could not confirm any odd 
behaviour of exim since I am using vendor-provided versions which obviously are not affected.

Greetings,

M.W.
(apologize my bad english if you find it to be so)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html