[Snort-users] Question on 663 - solved

Jack Pepper pepperjack at ...14319...
Thu Apr 9 13:09:27 EDT 2009

ok, so i will rudely answer my own post, but only so that the thread  
ends with a resolution, rather than ending with "we all lost interest".

Here is the description from arachnids:



This event is generated when the string "|sed -e '1,/^$/'" is found in  
the payload of a packet sent to a Sendmail server.  This may be an  
attempt to exploit a problem in older versions of Sendmail.

Attempted administrator access.  A successful attack can allow remote  
execution of commands at the privilege level of Sendmail, usually root.

Detailed Information:
A vulnerability exists in older versions of Sendmail associated with  
the debug mode.  Malformed text specifying the recipient could be a  
command that would execute at the privilege level of Sendmail, often  
times root.  The "sed" command is used to strip off the mail headers  
before executing the supplied command.  This vulnerability was  
exploited by the Morris worm.

Affected Systems:
Sendmail versions prior to 5.5.9.

Attack Scenarios:
An attacker can craft a recipient name that is a command. This command  
executes arbitrary code on the server.

Ease of Attack:
Easy.  An attacker can telnet to port 25 of a vulnerable server, enter  
debug mode, and craft a malicious recipient containing a command to be  

False Positives:
It is possible that this event may be generated by text in the DATA  
section of a pipelined SMTP transaction.

False Negatives:
This rule generates an event based on a specific string in the packet  
payload.  An attacker could craft payloads with other malicious  

Corrective Action:
Upgrade to Sendmail version 5.5.9 or higher.

Original rule written by Max Vision <vision at ...4...>
Modified by Brian Caswell <bmc at ...1935...>
Sourcefire Research Team
Judy Novak <judy.novak at ...1935...>
Nigel Houghton <nigel.houghton at ...1935...>

Additional References:





Framework?  I don't need no stinking framework!

@fferent Security Labs:  Isolate/Insulate/Innovate  

More information about the Snort-users mailing list