[Snort-sigs] IMAP Qualcomm WorldMail IMAP Literal Token Parsing Buffer Overflow

Joel Esler jesler at ...435...
Sun Mar 25 17:11:27 EDT 2012


I don't know where you got that rule from, but it's different from ours:

alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP Qualcomm WorldMail IMAP Literal Token Parsing Buffer Overflow"; flow:established,to_server; flowbits:isset,qualcom.worldmail.ok; dsize:>668; metadata:policy balanced-ips drop, policy security-ips drop, service imap; reference:bugtraq,15980; reference:cve,2005-4267; classtype:attempted-admin; sid:17328; rev:1;)

Which depends upon this rule:

alert tcp $HOME_NET 143 -> $EXTERNAL_NET any (msg:"IMAP Qualcomm WorldMail Server Response"; flow:established,to_client; content:"WorldMail IMAP4 Server"; fast_pattern:only; nocase; flowbits:set,qualcom.worldmail.ok; flowbits:noalert; metadata:service imap; classtype:protocol-command-decode; sid:17327; rev:6;)

J

On Mar 25, 2012, at 3:35 PM, Yew Chuan Ong wrote:

> Hye guys,
> 
> I experienced lots of FPs with this sig - IMAP Qualcomm WorldMail IMAP Literal Token Parsing Buffer Overflow.
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP Qualcomm WorldMail IMAP
> Literal Token Parsing Buffer Overflow"; flow:established,to_server; dsize:>668;
> metadata:policy balanced-ips drop, policy security-ips drop, service imap; refer
> ence:bugtraq,15980; reference:cve,2005-4267; classtype:attempted-admin; sid:1732
> 8; rev:1;)
> 
> When I checked on the payloads, these are just normal email contents (not suspicious). I am wondering why the packet size is more than 668 bytes if it is not a real buffer overflow attempt. Any ideas? Thanks.
> 
> 
> Regards
> Yew Chuan
> ------------------------------------------------------------------------------
> This SF email is sponsosred by:
> Try Windows Azure free for 90 days Click Here 
> http://p.sf.net/sfu/sfd2d-msazure_______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
> 
> 
> Please visit http://blog.snort.org for the latest news about Snort!





More information about the Snort-sigs mailing list