[Snort-users] Question on 663 - solved
pepperjack at ...14319...
Thu Apr 9 13:09:27 EDT 2009
ok, so i will rudely answer my own post, but only so that the thread
ends with a resolution, rather than ending with "we all lost interest".
Here is the description from arachnids:
This event is generated when the string "|sed -e '1,/^$/'" is found in
the payload of a packet sent to a Sendmail server. This may be an
attempt to exploit a problem in older versions of Sendmail.
Attempted administrator access. A successful attack can allow remote
execution of commands at the privilege level of Sendmail, usually root.
A vulnerability exists in older versions of Sendmail associated with
the debug mode. Malformed text specifying the recipient could be a
command that would execute at the privilege level of Sendmail, often
times root. The "sed" command is used to strip off the mail headers
before executing the supplied command. This vulnerability was
exploited by the Morris worm.
Sendmail versions prior to 5.5.9.
An attacker can craft a recipient name that is a command. This command
executes arbitrary code on the server.
Ease of Attack:
Easy. An attacker can telnet to port 25 of a vulnerable server, enter
debug mode, and craft a malicious recipient containing a command to be
It is possible that this event may be generated by text in the DATA
section of a pipelined SMTP transaction.
This rule generates an event based on a specific string in the packet
payload. An attacker could craft payloads with other malicious
Upgrade to Sendmail version 5.5.9 or higher.
Original rule written by Max Vision <vision at ...4...>
Modified by Brian Caswell <bmc at ...1935...>
Sourcefire Research Team
Judy Novak <judy.novak at ...1935...>
Nigel Houghton <nigel.houghton at ...1935...>
Framework? I don't need no stinking framework!
@fferent Security Labs: Isolate/Insulate/Innovate
More information about the Snort-users