Snort mailing list archives
Re: Question on 663 - solved
From: Jack Pepper <pepperjack () afferentsecurity com>
Date: Thu, 09 Apr 2009 12:09:27 -0500
ok, so i will rudely answer my own post, but only so that the thread ends with a resolution, rather than ending with "we all lost interest". Here is the description from arachnids: Rule: -- Sid: 663 -- Summary: This event is generated when the string "|sed -e '1,/^$/'" is found in the payload of a packet sent to a Sendmail server. This may be an attempt to exploit a problem in older versions of Sendmail. -- Impact: Attempted administrator access. A successful attack can allow remote execution of commands at the privilege level of Sendmail, usually root. -- Detailed Information: A vulnerability exists in older versions of Sendmail associated with the debug mode. Malformed text specifying the recipient could be a command that would execute at the privilege level of Sendmail, often times root. The "sed" command is used to strip off the mail headers before executing the supplied command. This vulnerability was exploited by the Morris worm. -- Affected Systems: Sendmail versions prior to 5.5.9. -- Attack Scenarios: An attacker can craft a recipient name that is a command. This command executes arbitrary code on the server. -- Ease of Attack: Easy. An attacker can telnet to port 25 of a vulnerable server, enter debug mode, and craft a malicious recipient containing a command to be executed. -- False Positives: It is possible that this event may be generated by text in the DATA section of a pipelined SMTP transaction. -- False Negatives: This rule generates an event based on a specific string in the packet payload. An attacker could craft payloads with other malicious commands. -- Corrective Action: Upgrade to Sendmail version 5.5.9 or higher. -- Contributors: Original rule written by Max Vision <vision () whitehats com> Modified by Brian Caswell <bmc () sourcefire com> Sourcefire Research Team Judy Novak <judy.novak () sourcefire com> Nigel Houghton <nigel.houghton () sourcefire com> -- Additional References: Bugtraq: http://www.securityfocus.com/bid/1 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0095 Arachnids: http://www.whitehats.com/info/IDS172 -- Framework? I don't need no stinking framework! ---------------------------------------------------------------- @fferent Security Labs: Isolate/Insulate/Innovate http://www.afferentsecurity.com ------------------------------------------------------------------------------ This SF.net email is sponsored by: High Quality Requirements in a Collaborative Environment. Download a free trial of Rational Requirements Composer Now! http://p.sf.net/sfu/www-ibm-com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Question on 663 Jack Pepper (Apr 09)
- Re: Question on 663 rmkml (Apr 09)
- Re: Question on 663 Jack Pepper (Apr 09)
- Re: Question on 663 rmkml (Apr 09)
- Re: Question on 663 Jack Pepper (Apr 09)
- Re: Question on 663 - solved Jack Pepper (Apr 09)
- Re: Question on 663 - solved Nigel Houghton (Apr 09)
- Re: Question on 663 Jack Pepper (Apr 09)
- Re: Question on 663 Jack Pepper (Apr 09)
- Re: Question on 663 rmkml (Apr 09)