[Snort-users] Question on 663

Jack Pepper pepperjack at ...14319...
Thu Apr 9 13:04:39 EDT 2009


Quoting rmkml <rmkml at ...953...>:

> on bid1 discuss:
> "Sendmail's debug mode allows the recipient of an email message to  
> be a program that runs with the privileges of the user id which  
> sendmail is running under."

right.  i got that.  bugtraq bid 1 discusses the case where sendmail  
has been compiled with the debug option enabled and some outside user  
is trying to access sendmail's "debug" command.  got it.

so back to sid 663:

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP rcpt to  
command attempt"; flow:to_server,established; content:"rcpt to|3A|";  
nocase; pcre:"/^rcpt\s+to\:\s*[|\x3b]/smi"; metadata:service smtp;  
reference:arachnids,172; reference:bugtraq,1; reference:cve,1999-0095;  
classtype:attempted-admin; sid:663; rev:15;)

this rule is *not* about debug.  it does not detect someone using the  
"debug" command.  this rule is about something else entirely.  the  
references are probably incorrect.  but i can find nothing on bugtraq  
about a sendmail exploit using the RCPT TO command.

Back in the arachnid days (this from august of 2002), sid=663 looked  
like this:

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP sendmail  
5.5.8 overflow"; flow:to_server,established; content: "|7c 73 65 64 20  
2d 65 20 27 31 2c 2f 5e 24 2f 27|";  reference:arachnids,172;  
reference:cve,CVE-1999-0095; classtype:attempted-admin; sid:663; rev:4;)

so maybe this rule has never been right.


jp







>
> On Thu, 9 Apr 2009, Jack Pepper wrote:
>
>> Quoting rmkml <rmkml at ...953...>:
>>
>>> maybe look:
>>> http://www.securityfocus.com/bid/1/exploit
>>
>> Yeah, that's kind of my point, eh?  bugtraq bid 1 is not an exploit  
>> in RCPT, it's something completely different involving an exploit  
>> in DEBUG.
>>
>> jp
>>
>>> On Thu, 9 Apr 2009, Jack Pepper wrote:
>>>
>>>> This rule looks for "RCPT TO: ;"
>>>>
>>>> The reference to cve,1999-0095 regards sendmail having the "debug"
>>>> command enabled. Ditto for the bugtraq,1 reference.  And arachnids has
>>>> been dead for at least 5 years.
>>>>
>>>> Anybody know why this rule exists?  What is the exploitation of RCPT TO ?
>>>>
>>>> jp
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> -- 
>>>>
>>>> Framework?  I don't need no stinking framework!
>>>>
>>>> ----------------------------------------------------------------
>>>> @fferent Security Labs:  Isolate/Insulate/Innovate
>>>> http://www.afferentsecurity.com
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> This SF.net email is sponsored by:
>>>> High Quality Requirements in a Collaborative Environment.
>>>> Download a free trial of Rational Requirements Composer Now!
>>>> http://p.sf.net/sfu/www-ibm-com
>>>> _______________________________________________
>>>> Snort-users mailing list
>>>> Snort-users at lists.sourceforge.net
>>>> Go to this URL to change user options or unsubscribe:
>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>> Snort-users list archive:
>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>>
>>
>>
>>
>> -- 
>>
>> Framework?  I don't need no stinking framework!
>>
>> ----------------------------------------------------------------
>> @fferent Security Labs:  Isolate/Insulate/Innovate  
>> http://www.afferentsecurity.com
>>



-- 

Framework?  I don't need no stinking framework!

----------------------------------------------------------------
@fferent Security Labs:  Isolate/Insulate/Innovate  
http://www.afferentsecurity.com





More information about the Snort-users mailing list