Security Incidents mailing list archives
Snort Signatures for LSD-PL.NET Exploit
From: Loki <loki () fatelabs com>
Date: 10 Mar 2003 16:06:18 -0500
List: Myself along with Fate Research Labs is currently writing a research paper on our analysis of several Sendmail exploit variants. We have provided intial logfile analysis and new snort signatures herein. We agree with the views of Mike Poor. We do considder the use of depth and offsets in IDS signatures to be dangerous. Once attackers start to see IDS' looking for specific characters within the packets at a certain depth or offset, they can simply move them to a new location within the packet. Our signatures haven't seemed to produce any false positives as of yet. Our paper will be released shortly from here at SANS 2003. Please send any suggested revisions to our signatures to loki () fatelabs com. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ /var/log/snort/alert ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ [**] [1:2087:1] LSD-PL.NET Sendmail Buffer Overflow (1) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] 03/10-15:56:03.665137 0:0:0:0:0:0 -> 0:0:0:0:0:0 type:0x800 len:0x17F 127.0.0.1:34325 -> 127.0.0.1:25 TCP TTL:64 TOS:0x0 ID:8954 IpLen:20 DgmLen:369 DF ***AP*** Seq: 0x9097CD8D Ack: 0x90BD0AEE Win: 0x7FFF TcpLen: 32 TCP Options (3) => NOP NOP TS: 1306553 1306553 [Xref => cve CAN-2002-1337] [**] [1:2087:1] LSD-PL.NET Sendmail Buffer Overflow (2) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] 03/10-15:56:03.665878 0:0:0:0:0:0 -> 0:0:0:0:0:0 type:0x800 len:0x841 127.0.0.1:34325 -> 127.0.0.1:25 TCP TTL:64 TOS:0x0 ID:8956 IpLen:20 DgmLen:2099 DF ***AP*** Seq: 0x9097CED9 Ack: 0x90BD0AEE Win: 0x7FFF TcpLen: 32 TCP Options (3) => NOP NOP TS: 1306553 1306553 [Xref => cve CAN-2002-1337] ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ /var/log/maillog *********************************************************************** Mar 11 00:33:53 victim sendmail[313]: h2B5Xmm00313: SYSERR: putoutmsg (attacker): error on output channel sending "503 5.0.0 Need MAIL before RCPT": Broken pipe Mar 11 00:33:53 victim sendmail[317]: h2B5Xrm00316: Dropped invalid comments from header address Mar 11 00:33:53 victim sendmail[317]: h2B5Xrm00316: SYSERR(root): Infinite loop in ruleset canonify, rule 16 Mar 11 00:33:54 victim sendmail[317]: h2B5Xrm00316: to=root, delay=00:00:01, xdelay=00:00:01, mailer=local, pri=32057, dsn=2.0.0, stat=Sent Mar 11 00:34:27 victim sendmail[327]: h2B5YRm00327: from=anonymous () yahoo com, size=2380, class=0, nrcpts=1, msgid=<200303110534.h2B5YRm00327 () victim net>, proto=SMTP, daemon=MTA, relay=attacker [67.94.234.199] Mar 11 00:34:27 victim sendmail[328]: h2B5YRm00327: Dropped invalid comments from header address Mar 11 00:34:27 victim sendmail[328]: h2B5YRm00327: SYSERR(root): Infinite loop in ruleset canonify, rule 16 Mar 11 00:34:27 victim sendmail[328]: h2B5YRm00327: to=root, delay=00:00:00, xdelay=00:00:00, mailer=local, pri=32057, dsn=2.0.0, stat=Sent +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ SNORT signatures from research +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ alert tcp any any > $SMTP_SERVERS 25 (msg:"LSD-PL.NET Sendmail Buffer Overflow (1)";\ flow: to_server; content:"|3C 3E 3C 3E 3C 3E 3C 3E 3C 3E 3C 3E 3C 3E|";\ flag: A+; nocase;reference:cve,CAN-2002-1337;\ classtype:attempted-admin; sid:2087;rev:1;) alert tcp any any > $SMTP_SERVERS 25 (msg:"LSD-PL.NET Sendmail Buffer Overflow (2)";\ flow: to_server; content:"|68 2F 2F 73 68 68 2F 62 69 6E 54 5B 50 53 54 59|";\ flag: A+; nocase;reference:cve,CAN-2002-1337;\ classtype:attempted-admin; sid:2087;rev:1;) -- Loki <loki () fatelabs com> Internet Warfare and Intelligence Fate Research Labs, USA http://www.fatelabs.com ---------------------------------------------------------------------------- <Pre>Lose another weekend managing your IDS? Take back your personal time. 15-day free trial of StillSecure Border Guard.</Pre> <A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>
Current thread:
- Snort Signatures for LSD-PL.NET Exploit Loki (Mar 11)
- Re: [Snort-sigs] Snort Signatures for LSD-PL.NET Exploit Michael Scheidell (Mar 11)