cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
155
Views
0
Helpful
3
Replies
Highlighted
Beginner

CA-2003-12

Are there any signatures available for this. From looking at the advisory it would seem searching for anything between \x80-\xff in the to header might suffice.

3 REPLIES 3
Highlighted
Frequent Contributor

Re: CA-2003-12

Are you looking for a signature for something in particular or is it the send mail buffer overflow vulnerability that you are referring to? If so, refer to the CERT Advisory http://www.cert.org/advisories/CA-2003-12.html

I guess the signatures for these are available in the IDS systems. I don't have the details though.

Highlighted
Participant

Re: CA-2003-12

From the details of the exploit, this problem is addressed by signature 3115 subsigs 0-2. These are looking for a non-printable character [\x80-\xFF] in the To, From, and CC fields of an email message header. We really only need to identify the \xFF character, but we get the coverage in with the range. Signature 3115 was originally written to cover the other Sendmail exploit in CERT CA-2003-07.

Highlighted
Beginner

Re: CA-2003-12

Does anyone else have huge numbers of false +ve's from these four subsigs? I see tons...