cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
323
Views
0
Helpful
3
Replies

CA-2003-12

ktimm
Level 1
Level 1

Are there any signatures available for this. From looking at the advisory it would seem searching for anything between \x80-\xff in the to header might suffice.

3 Replies 3

didyap
Level 6
Level 6

Are you looking for a signature for something in particular or is it the send mail buffer overflow vulnerability that you are referring to? If so, refer to the CERT Advisory http://www.cert.org/advisories/CA-2003-12.html

I guess the signatures for these are available in the IDS systems. I don't have the details though.

From the details of the exploit, this problem is addressed by signature 3115 subsigs 0-2. These are looking for a non-printable character [\x80-\xFF] in the To, From, and CC fields of an email message header. We really only need to identify the \xFF character, but we get the coverage in with the range. Signature 3115 was originally written to cover the other Sendmail exploit in CERT CA-2003-07.

Does anyone else have huge numbers of false +ve's from these four subsigs? I see tons...

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: