Re: Question on 663 - solved

[Jack Pepper <pepperjack () afferentsecurity com>]

ok, so i will rudely answer my own post, but only so that the thread  
ends with a resolution, rather than ending with "we all lost interest".

Here is the description from arachnids:

Rule:

--
Sid:
663

--
Summary:
This event is generated when the string "|sed -e '1,/^$/'" is found in  
the payload of a packet sent to a Sendmail server.  This may be an  
attempt to exploit a problem in older versions of Sendmail.

--
Impact:
Attempted administrator access.  A successful attack can allow remote  
execution of commands at the privilege level of Sendmail, usually root.

--
Detailed Information:
A vulnerability exists in older versions of Sendmail associated with  
the debug mode.  Malformed text specifying the recipient could be a  
command that would execute at the privilege level of Sendmail, often  
times root.  The "sed" command is used to strip off the mail headers  
before executing the supplied command.  This vulnerability was  
exploited by the Morris worm.

--
Affected Systems:
Sendmail versions prior to 5.5.9.

--
Attack Scenarios:
An attacker can craft a recipient name that is a command. This command  
executes arbitrary code on the server.

--
Ease of Attack:
Easy.  An attacker can telnet to port 25 of a vulnerable server, enter  
debug mode, and craft a malicious recipient containing a command to be  
executed.

--
False Positives:
It is possible that this event may be generated by text in the DATA  
section of a pipelined SMTP transaction.

--
False Negatives:
This rule generates an event based on a specific string in the packet  
payload.  An attacker could craft payloads with other malicious  
commands.

--
Corrective Action:
Upgrade to Sendmail version 5.5.9 or higher.

--
Contributors:
Original rule written by Max Vision <vision () whitehats com>
Modified by Brian Caswell <bmc () sourcefire com>
Sourcefire Research Team
Judy Novak <judy.novak () sourcefire com>
Nigel Houghton <nigel.houghton () sourcefire com>

--
Additional References:

Bugtraq:
http://www.securityfocus.com/bid/1

CVE:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0095

Arachnids:
http://www.whitehats.com/info/IDS172





-- 

Framework?  I don't need no stinking framework!

----------------------------------------------------------------
@fferent Security Labs:  Isolate/Insulate/Innovate  
http://www.afferentsecurity.com


------------------------------------------------------------------------------
This SF.net email is sponsored by:
High Quality Requirements in a Collaborative Environment.
Download a free trial of Rational Requirements Composer Now!
http://p.sf.net/sfu/www-ibm-com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users