[Snort-users] New rule SID question ...

Hicks, John JHicks at ...5857...
Fri Jul 12 11:18:03 EDT 2002


Hello all,

	I just got an email anouncing a new M$ Encapsulated SMTP Address
Vulnerability (attached for reference) and I'm trying to write a new rule
for this, but have 1 question. What do I assign as a SID??? Do I have to
look for an unused one from some master list???

Thanks in advance,

John

----- Original Message -----
From: <support at ...6305...>
To: <list at ...6305...>
Sent: Friday, July 12, 2002 1:36 PM
Subject: [NT] IIS Microsoft SMTP Service Encapsulated SMTP Address
Vulnerability


> The following security advisory is sent to the securiteam mailing list,
and can be found at the SecuriTeam web site: http://www.securiteam.com
> - - promotion
>
> When was the last time you checked your server's security?
> How about a monthly report?
> http://www.AutomatedScanning.com - Know that you're safe.
> - - - - - - - - -
>
>
>
>   IIS Microsoft SMTP Service Encapsulated SMTP Address Vulnerability
> ------------------------------------------------------------------------
>
>
> SUMMARY
>
> Laurent Frinking of Quark Deutschland GmbH originally discovered this
> vulnerability. At that time, the discovery concerned all versions of
> Microsoft Exchange 5.5 prior to SP2 with the SP2 IMC patch.
>
> Portcullis has discovered that the Microsoft SMTP Service available with
> IIS 4.0 and IIS 5.0 is also vulnerable to the encapsulated SMTP address
> vulnerability even with anti-relaying features enabled. This vulnerability
> allows hosts that are not authorized to relay e-mail via the SMTP server
> to bypass the anti-relay features and send mail to foreign domains.
>
> DETAILS
>
> Impact:
> The anti-relay rules will be circumvented allowing spam and spoofed mail
> to be relayed via the SMTP mail server.
>
> Spam Mail:
> If the Microsoft IIS SMTP Server is used to relay spam mail this could
> result in the mail server being black holed causing disruption to the
> service.
>
> Spoofed e-mail:
> As the Microsoft IIS SMTP Service is most often utilized in conjunction
> with IIS for commercial use this flaw could be used in order to engineer
> customers particularly because spoofed e-mail relayed in this way will
> show the trusted web server in the SMTP header.
>
> Exploit:
> 220 test-mailer Microsoft ESMTP MAIL Service, Version: 5.0.2195.4905 ready
> at Tue, 28 May 2002 14:54:10 +0100
> helo
> 250 test-mailer Hello [IP address of source host]
> MAIL FROM: test at ...6306...
> 250 2.1.0 test at ...6307... OK
> RCPT TO: test2 at ...6306...
> 550 5.7.1 Unable to relay for test at ...6306...
> RCPT TO: IMCEASMTP-test+40test+2Ecom at ...6308...
> 250 2.1.5 IMCEASMTP-test+40test+2Ecom at ...6308...
> data
> 354 Start mail input; end with <CRLF>.<CRLF>
> Subject: You are vulnerable.
>
>
> ADDITIONAL INFORMATION
>
> The information has been provided by  <mailto:TLR at ...6309...>
> TLR.
>
>
>
> ========================================
>
>
> This bulletin is sent to members of the SecuriTeam mailing list.
> To unsubscribe from the list, send mail with an empty subject line and
body to: list-unsubscribe at ...6305...
> In order to subscribe to the mailing list, simply forward this email to:
list-subscribe at ...6305...
>
>
> ====================
> ====================
>
> DISCLAIMER:
> The information in this bulletin is provided "AS IS" without warranty of
any kind.
> In no event shall we be liable for any damages whatsoever including
direct, indirect, incidental, consequential, loss of business profits or
special damages.





More information about the Snort-users mailing list