[Snort-users] Exploit? (RCPT overflow)

matt mkettler at ...4108...
Thu Jun 13 17:26:06 EDT 2002


Personally, that rule is so incredibly false-alert prone that I've disabled it.

It merely looks for a TCP frame going to your SMTP server which contains 
more than 800 bytes of data.. Any email can easily set that off if 
pipelining is used.


SMTP command  pipelining allows several command lines lines to be sent as a 
single packet without waiting for an OK response. Any good high-volume 
mailserver will try to pipeline where possible, resulting in a single TCP 
frame containing a series of command lines, each of which is not very long, 
but in aggregate easily exceed the 800 byte threshold, particularly if 
there is a large recipient list.

For more info on pipelining: http://www.faqs.org/rfcs/rfc1854.html

Since I know my mailserver is patched against such overflows, and I know 
the alert goes off at least three times a day here for various emails in 
the category listed above, I find that rule to be beyond worthless.

The rule can also be misled using carefully crafted packets to ensure that 
the RCPT TO: exploit is split into multiple frames. Stream4 can re-assemble 
the stream for content patterns, but it cannot total the segment length up 
(otherwise EVERY email would trigger this rule)

So I send one tcp frame containing:

     RCPT To: something

Then another several frames containing:

   really long that will overflow the rcpt

   to buffer within old and buggymailservers

   {insert shellcode here}

   {more shellcode}
    ...
   [cr]


Boom, rcpt to: overflow without alerting that particular snort rule.

Sorry, but IMHO that rule is worthless since it will triggered by valid 
SMTP traffic to a large CC list in your domain, but can easily be avoided 
by someone not-very-clever. Unless your mailserver doesn't support 
pipelines, kill it, kill it dead.


At 04:01 PM 6/13/2002 -0700, Michael Northup wrote:
>Today I'm seeing a lot of "SMTP RCPT TO overflow" alerts from a variety of 
>outside sources.  Is anyone else seeing the same?
>
>Michael Northup
>Burton Saw & Supply Co.





More information about the Snort-users mailing list