List: Myself along with Fate Research Labs is currently writing a research paper on our analysis of several Sendmail exploit variants. We have provided intial logfile analysis and new snort signatures herein. We agree with the views of Mike Poor. We do considder the use of depth and offsets in IDS signatures to be dangerous. Once attackers start to see IDS' looking for specific characters within the packets at a certain depth or offset, they can simply move them to a new location within the packet. Our signatures haven't seemed to produce any false positives as of yet. Our paper will be released shortly from here at SANS 2003. Please send any suggested revisions to our signatures to lokiat_private ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ /var/log/snort/alert ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ [**] [1:2087:1] LSD-PL.NET Sendmail Buffer Overflow (1) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] 03/10-15:56:03.665137 0:0:0:0:0:0 -> 0:0:0:0:0:0 type:0x800 len:0x17F 127.0.0.1:34325 -> 127.0.0.1:25 TCP TTL:64 TOS:0x0 ID:8954 IpLen:20 DgmLen:369 DF ***AP*** Seq: 0x9097CD8D Ack: 0x90BD0AEE Win: 0x7FFF TcpLen: 32 TCP Options (3) => NOP NOP TS: 1306553 1306553 [Xref => cve CAN-2002-1337] [**] [1:2087:1] LSD-PL.NET Sendmail Buffer Overflow (2) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] 03/10-15:56:03.665878 0:0:0:0:0:0 -> 0:0:0:0:0:0 type:0x800 len:0x841 127.0.0.1:34325 -> 127.0.0.1:25 TCP TTL:64 TOS:0x0 ID:8956 IpLen:20 DgmLen:2099 DF ***AP*** Seq: 0x9097CED9 Ack: 0x90BD0AEE Win: 0x7FFF TcpLen: 32 TCP Options (3) => NOP NOP TS: 1306553 1306553 [Xref => cve CAN-2002-1337] ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ /var/log/maillog *********************************************************************** Mar 11 00:33:53 victim sendmail[313]: h2B5Xmm00313: SYSERR: putoutmsg (attacker): error on output channel sending "503 5.0.0 Need MAIL before RCPT": Broken pipe Mar 11 00:33:53 victim sendmail[317]: h2B5Xrm00316: Dropped invalid comments from header address Mar 11 00:33:53 victim sendmail[317]: h2B5Xrm00316: SYSERR(root): Infinite loop in ruleset canonify, rule 16 Mar 11 00:33:54 victim sendmail[317]: h2B5Xrm00316: to=root, delay=00:00:01, xdelay=00:00:01, mailer=local, pri=32057, dsn=2.0.0, stat=Sent Mar 11 00:34:27 victim sendmail[327]: h2B5YRm00327: from=anonymousat_private, size=2380, class=0, nrcpts=1, msgid=<200303110534.h2B5YRm00327at_private>, proto=SMTP, daemon=MTA, relay=attacker [67.94.234.199] Mar 11 00:34:27 victim sendmail[328]: h2B5YRm00327: Dropped invalid comments from header address Mar 11 00:34:27 victim sendmail[328]: h2B5YRm00327: SYSERR(root): Infinite loop in ruleset canonify, rule 16 Mar 11 00:34:27 victim sendmail[328]: h2B5YRm00327: to=root, delay=00:00:00, xdelay=00:00:00, mailer=local, pri=32057, dsn=2.0.0, stat=Sent +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ SNORT signatures from research +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ alert tcp any any > $SMTP_SERVERS 25 (msg:"LSD-PL.NET Sendmail Buffer Overflow (1)";\ flow: to_server; content:"|3C 3E 3C 3E 3C 3E 3C 3E 3C 3E 3C 3E 3C 3E|";\ flag: A+; nocase;reference:cve,CAN-2002-1337;\ classtype:attempted-admin; sid:2087;rev:1;) alert tcp any any > $SMTP_SERVERS 25 (msg:"LSD-PL.NET Sendmail Buffer Overflow (2)";\ flow: to_server; content:"|68 2F 2F 73 68 68 2F 62 69 6E 54 5B 50 53 54 59|";\ flag: A+; nocase;reference:cve,CAN-2002-1337;\ classtype:attempted-admin; sid:2087;rev:1;) -- Loki <lokiat_private> Internet Warfare and Intelligence Fate Research Labs, USA http://www.fatelabs.com ---------------------------------------------------------------------------- <Pre>Lose another weekend managing your IDS? Take back your personal time. 15-day free trial of StillSecure Border Guard.</Pre> <A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>
This archive was generated by hypermail 2b30 : Tue Mar 11 2003 - 08:57:34 PST