[Snort-sigs] SID 654 (SMTP RCPT TO overflow)

Hugo van der Kooij hvdkooij at ...481...
Sun Mar 31 01:59:07 EST 2002

A rather improved version of this SID

# This is a template for submitting snort signature descriptions to
# the snort.org website
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work. 
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# $Id$

alert tcp $EXTERNAL_NET any -> $SMTP 25 (msg:"SMTP RCPT TO overflow"; flags:A+; flow:to_server; content:"rcpt to|3a|"; dsize:>800; reference:cve,CAN-2001-0260; reference:bugtraq,2283; classtype:attempted-admin; sid:654; rev:2;)


When connecting to port 25 (SMTP) on a computer running a vunarable SMTP
server it is possible to perform a DoS attack.
In some cases it might be possible to perform a security breach as well.

Depending on the vunerable software you may need to restart the SMTP
server or perform other sorts of intervention.
You may alse see your server go down and possibly disrupt other services
on the same machine as well.

Detailed Information:
 - Vulnerable systems:
Avirt Mail 4.0 (build 4124)
Avirt Mail 4.2 (build 4807)
Netscape Messaging Server 3.54/3.55/3.6

More details can be found on the various sites listed below as the
impact and details vary from system to system.

Attack Scenarios:
Supply a large amount of data after the RCPT TO: header in your SMTP flow.

Ease of Attack:
DoS: rather easy
Security breach: propably hard

False Positives:
These will occur rather frequently with the given rule.
They are most common when subscribed to mailinglists.

False Negatives:
But as some software only require 272 after the RCPT TO: header it is
likely they may exist.

Corrective Action:
Upgrade software according to the instructions of your software manufacturer.

Hugo van der Kooij <hugo at ...481...>

Additional References:

All email send to me is bound to the rules described on my homepage.
    hvdkooij at ...481...		http://hvdkooij.xs4all.nl/
	    Don't meddle in the affairs of sysadmins,
	    for they are subtle and quick to anger.

More information about the Snort-sigs mailing list