Re: ISS Proventia email overflow
- From: "Albert R. Campa" <abcampa@xxxxxxxxx>
- Date: Tue, 20 Nov 2007 10:26:59 -0600
It is from a known good source, another mail server, but I don't know
if this instance is mail being relayed or generated from the server
itself. The smtp portion of the packet is just a bunch of random
numbers from what I can tell.
On Nov 20, 2007 10:15 AM, David Maynor <dmaynor@xxxxxxxxx> wrote:
Is the email spam or did is it from a known good source?
On Nov 20, 2007 10:59 AM, Albert R. Campa <abcampa@xxxxxxxxx> wrote:
I dont know that it is an actual email, but this is 1 of 28 lines that
I took from a packet capture in the smtp portion of the packet
Message: \252\225U\376\207\251\326\270\001II\341\321\321I\001R\n
some lines are longer some shorter but 28 of them. I guess this is
what is causing the event to trigger.
On Nov 20, 2007 9:43 AM, David Maynor <dmaynor@xxxxxxxxx> wrote:
What is contained in that email? Specifically that check is looking
for strings that could be used as the payload in a buffer overflow.
There is always a chance of positives but I would love to see what
kinda of legit email contains characters that could be translated to
machine code in a useful fashion.
On Nov 19, 2007 5:28 PM, Albert R. Campa <abcampa@xxxxxxxxx> wrote:
Hi guys,
I am getting spurts of events trigerred by ISS Proventia, with the
following vuln description:
Vulnerability description
In buffer overflow attacks, an attacker supplies data that is longer
than the available space to hold it. For stack allocated variables,
this usually means the attacker can corrupt other variables and
eventually modify the code that is executed when the function in which
the overflow occurs ends.
http://www.iss.net/security_center/reference/vuln/EMail_Generic_Intel_Overflow.htm
They are from a trusted mail server so its not being blocked.
Do you think this is just a true false positive or is this trusted
mail server sending bad packets?
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------
- References:
- ISS Proventia email overflow
- From: Albert R. Campa
- Re: ISS Proventia email overflow
- From: David Maynor
- Re: ISS Proventia email overflow
- From: Albert R. Campa
- Re: ISS Proventia email overflow
- From: David Maynor
- ISS Proventia email overflow
- Prev by Date: Re: ISS Proventia email overflow
- Next by Date: Re: ISS Proventia email overflow
- Previous by thread: Re: ISS Proventia email overflow
- Next by thread: RE: ISS Proventia email overflow
- Index(es):
Relevant Pages
|
