Snort mailing list archives
Re: Question on 663
From: Jack Pepper <pepperjack () afferentsecurity com>
Date: Thu, 09 Apr 2009 12:04:39 -0500
Quoting rmkml <rmkml () free fr>:
on bid1 discuss: "Sendmail's debug mode allows the recipient of an email message to be a program that runs with the privileges of the user id which sendmail is running under."
right. i got that. bugtraq bid 1 discusses the case where sendmail has been compiled with the debug option enabled and some outside user is trying to access sendmail's "debug" command. got it. so back to sid 663: alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP rcpt to command attempt"; flow:to_server,established; content:"rcpt to|3A|"; nocase; pcre:"/^rcpt\s+to\:\s*[|\x3b]/smi"; metadata:service smtp; reference:arachnids,172; reference:bugtraq,1; reference:cve,1999-0095; classtype:attempted-admin; sid:663; rev:15;) this rule is *not* about debug. it does not detect someone using the "debug" command. this rule is about something else entirely. the references are probably incorrect. but i can find nothing on bugtraq about a sendmail exploit using the RCPT TO command. Back in the arachnid days (this from august of 2002), sid=663 looked like this: alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP sendmail 5.5.8 overflow"; flow:to_server,established; content: "|7c 73 65 64 20 2d 65 20 27 31 2c 2f 5e 24 2f 27|"; reference:arachnids,172; reference:cve,CVE-1999-0095; classtype:attempted-admin; sid:663; rev:4;) so maybe this rule has never been right. jp
On Thu, 9 Apr 2009, Jack Pepper wrote:Quoting rmkml <rmkml () free fr>:maybe look: http://www.securityfocus.com/bid/1/exploitYeah, that's kind of my point, eh? bugtraq bid 1 is not an exploit in RCPT, it's something completely different involving an exploit in DEBUG. jpOn Thu, 9 Apr 2009, Jack Pepper wrote:This rule looks for "RCPT TO: ;" The reference to cve,1999-0095 regards sendmail having the "debug" command enabled. Ditto for the bugtraq,1 reference. And arachnids has been dead for at least 5 years. Anybody know why this rule exists? What is the exploitation of RCPT TO ? jp -- Framework? I don't need no stinking framework! ---------------------------------------------------------------- @fferent Security Labs: Isolate/Insulate/Innovate http://www.afferentsecurity.com ------------------------------------------------------------------------------ This SF.net email is sponsored by: High Quality Requirements in a Collaborative Environment. Download a free trial of Rational Requirements Composer Now! http://p.sf.net/sfu/www-ibm-com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users-- Framework? I don't need no stinking framework! ---------------------------------------------------------------- @fferent Security Labs: Isolate/Insulate/Innovate http://www.afferentsecurity.com
-- Framework? I don't need no stinking framework! ---------------------------------------------------------------- @fferent Security Labs: Isolate/Insulate/Innovate http://www.afferentsecurity.com ------------------------------------------------------------------------------ This SF.net email is sponsored by: High Quality Requirements in a Collaborative Environment. Download a free trial of Rational Requirements Composer Now! http://p.sf.net/sfu/www-ibm-com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Question on 663 Jack Pepper (Apr 09)
- Re: Question on 663 rmkml (Apr 09)
- Re: Question on 663 Jack Pepper (Apr 09)
- Re: Question on 663 rmkml (Apr 09)
- Re: Question on 663 Jack Pepper (Apr 09)
- Re: Question on 663 - solved Jack Pepper (Apr 09)
- Re: Question on 663 - solved Nigel Houghton (Apr 09)
- Re: Question on 663 Jack Pepper (Apr 09)
- Re: Question on 663 Jack Pepper (Apr 09)
- Re: Question on 663 rmkml (Apr 09)