Re: Real-world attacks on sendmail CA-2003-07 seen

From: james (jameshat_private)
Date: Mon Mar 10 2003 - 12:08:06 PST

  • Next message: KoRe MeLtDoWn: "RE: New virus outbreak." 

    Here are some Snort sigs for the Sendmail exploit, YVMV:

###################
# Sendmail Exploit#
###################
alert tcp any any -> $HOME_NET 25 (sid:2087;  msg: "Sendmail Buffer\
overflow"; flow:established; content:"|2f73 6868 2f62 696e 545b 5053 5459 31d2|";)

alert tcp any any -> $SMTP_SERVERS 25 (msg:"SMTP EXPLOIT Sendmail crackaddr overflow A";\
flow:to_server,established; content:"From\:"; content:"<><><><><><><><><><><><><><><><><><><><><><>";\
distance:0; content:"("; distance:1; content:")"; distance:1;reference:cve,CAN-2002-1337;\
reference:url,www.kb.cert.org/vuls/id/398025; classtype:attempted-admin; sid:2087; rev:2;)

alert tcp any any -> $SMTP_SERVERS 25 (msg:"SMTP EXPLOIT Sendmail crackaddr overflow A";\
flow:to_server,established; content:"Sender\:"; content:"<><><><><><><><><><><><><><><><><><><><><><>";\
distance:0; content:"("; distance:1; content:")"; distance:1;reference:cve,CAN-2002-1337;\
reference:url,www.kb.cert.org/vuls/id/398025; classtype:attempted-admin; sid:2087; rev:2;)

alert tcp any any -> $SMTP_SERVERS 25 (msg:"SMTP EXPLOIT Sendmail crackaddr overflow A";\
flow:to_server,established; content:"Reply-To\:"; content:"<><><><><><><><><><><><><><><><><><><><><><>";\
distance:0; content:"("; distance:1; content:")"; distance:1;reference:cve,CAN-2002-1337;\
reference:url,www.kb.cert.org/vuls/id/398025; classtype:attempted-admin; sid:2087; rev:2;)

alert tcp any any -> $SMTP_SERVERS 25 (msg:"SMTP EXPLOIT Sendmail crackaddr overflow A";\
flow:to_server,established; content:"Errors-To\:"; content:"<><><><><><><><><><><><><><><><><><><><><><>";\
distance:0; content:"("; distance:1; content:")"; distance:1;reference:cve,CAN-2002-1337;\
reference:url,www.kb.cert.org/vuls/id/398025; classtype:attempted-admin; sid:2087; rev:2;)

alert tcp any any -> $SMTP_SERVERS 25 (msg:"SMTP EXPLOIT Sendmail crackaddr overflow A1";\
flow:to_server,established; content:"<><><><><><><><><><><><><><><><><><><><><><>";\
distance:0; content:"("; distance:1; content:")"; distance:1;reference:cve,CAN-2002-1337;\
reference:url,www.kb.cert.org/vuls/id/398025; classtype:attempted-admin; sid:2087; rev:2;)

alert tcp any any -> $SMTP_SERVERS 25 (msg:"SMTP EXPLOIT Sendmail crackaddr overflow B";\
flow: to_server;content:"|3c3e28|"; nocase;reference:cve,CAN-2002-1337;classtype:attempted-admin; sid:2087;rev:1;)

alert tcp any any -> $SMTP_SERVERS 25 (msg:"SMTP EXPLOIT Sendmail crackaddr overflow C";\
flow: to_server; content:"Sender\: |3c3e 3c3e 3c3e 3c3e 3c3e 3c3e 3c3e 3c3e|"; nocase; reference:cve,CAN-2002-1337;\
classtype:attempted-admin; sid:2087;rev:3;)

alert tcp any any -> $SMTP_SERVERS 25 (msg:"SMTP EXPLOIT Sendmail crackaddr overflow D";\
flow: to_server; content:"From\: |3c3e 3c3e 3c3e 3c3e\
3c3e 3c3e 3c3e 3c3e|"; nocase; reference:cve,CAN-2002-1337;\
classtype:attempted-admin; sid:2087;rev:4;)

alert tcp any any -> $SMTP_SERVERS 25 (msg:"SMTP EXPLOIT Sendmail crackaddr overflow E";\
flow: to_server; content:"Reply-To\: |3c3e 3c3e 3c3e\
3c3e 3c3e 3c3e 3c3e 3c3e|"; nocase; reference:cve,CAN-2002-1337;\
classtype:attempted-admin; sid:2087;rev:5;)

alert tcp any any -> $SMTP_SERVERS 25 (msg:"SMTP EXPLOIT Sendmail crackaddr overflow F";\
 flow: to_server; content:"Errors-To\: |3c3e 3c3e 3c3e\
3c3e 3c3e 3c3e 3c3e 3c3e|"; nocase; reference:cve,CAN-2002-1337;\
classtype:attempted-admin; sid:2087;rev:6;)


----------------------------------------------------------------------------

<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>

    This archive was generated by hypermail 2b30 : Mon Mar 10 2003 - 14:06:17 PST