[Snort-sigs] false +ves on IMAP fetch overflow attempt: sid 3070

Nigel Houghton nigel at ...435...
Mon Jan 24 18:15:04 EST 2005


On  0, Russell Fulton <r.fulton at ...575...> allegedly wrote:
> I am seeing many hits on this rule for what appear to be perfectly
> normal IMAP requests.
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP fetch overflow
> attempt"; flow:established,to_server; content:"FETCH"; nocase; isdataat:
> 100,relative; pcre:"/\sFETCH\s[^\n]{100}/smi"; reference:bugtraq,11775;
> classtype:misc-attack; sid:3070; rev:1;)
> 
> My understanding of this is that we are looking for a newline within 100
> characters of 'FETCH' and alerting if we don't find it.  Unfortunately
> there are many legitimate FETCH requests that are longer than 100 chars.
> 
> There is no doc on the rule so I don't know what specific attack (if
> any) this is trying to detect.
> 
> I will be disabling this rule.
> 
> Russell.

Looks like a number of docs are missing from snort.org at the moment.
Sorry about that, we'll get that fixed asap. The docs *do* exist, you
just can't see them right now :)

Here is the doc for 3070:

Sid:
3070

--
Summary:
This event is generated when an attempt is made to exploit a buffer
overflow associated with the several commands of the Mercury Mail IMAP
service.

--
Impact:
A successful attack may cause a denial of service or a buffer overflow
and the subsequent execution of arbitrary code on a vulnerable server.

--
Detailed Information:
A vulnerability exists in the way that the Mercury Mail IMAP service
handles several commands.  An excessively long command argument can
trigger a denial of service or a buffer overflow and the subsequent
execution of arbitrary code on a vulnerable server.

--
Affected Systems:
	Pegasus Mail Mercury Mail Transport System 3.32
	Pegasus Mail Mercury Mail Transport System 4.01a

--
Attack Scenarios:
An attacker can supplied an overly long command, causing
denial of service or a buffer overflow.

--
Ease of Attack:
Simple.

--
False Positives:
None known.

--
False Negatives:
None known.

--
Corrective Action:
Upgrade to the latest non-affected version of the software.

--
Contributors:
Sourcefire Research Team
Brian Caswell
Judy Novak
 
+-----------------------------------------------------------------+
    Nigel Houghton      Research Engineer       Sourcefire Inc.
                  Vulnerability Research Team

 Stewie: You know, I rather like this God fellow. Very theatrical, 
         you know. Pestilence here, a plague there. Omnipotence 
				 ...gotta get me some of that.




More information about the Snort-sigs mailing list