Re: ISS Proventia email overflow

Is the email spam or did is it from a known good source?

On Nov 20, 2007 10:59 AM, Albert R. Campa <abcampa@xxxxxxxxx> wrote:
I dont know that it is an actual email, but this is 1 of 28 lines that
I took from a packet capture in the smtp portion of the packet

Message: \252\225U\376\207\251\326\270\001II\341\321\321I\001R\n

some lines are longer some shorter but 28 of them. I guess this is
what is causing the event to trigger.



On Nov 20, 2007 9:43 AM, David Maynor <dmaynor@xxxxxxxxx> wrote:
What is contained in that email? Specifically that check is looking
for strings that could be used as the payload in a buffer overflow.
There is always a chance of positives but I would love to see what
kinda of legit email contains characters that could be translated to
machine code in a useful fashion.


On Nov 19, 2007 5:28 PM, Albert R. Campa <abcampa@xxxxxxxxx> wrote:
Hi guys,

I am getting spurts of events trigerred by ISS Proventia, with the
following vuln description:
Vulnerability description
In buffer overflow attacks, an attacker supplies data that is longer
than the available space to hold it. For stack allocated variables,
this usually means the attacker can corrupt other variables and
eventually modify the code that is executed when the function in which
the overflow occurs ends.

http://www.iss.net/security_center/reference/vuln/EMail_Generic_Intel_Overflow.htm

They are from a trusted mail server so its not being blocked.

Do you think this is just a true false positive or is this trusted
mail server sending bad packets?

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------





------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------

Relevant Pages

  • Re: ISS Proventia email overflow
    ... I took from a packet capture in the smtp portion of the packet ... In buffer overflow attacks, an attacker supplies data that is longer ... with real-world attacks from CORE IMPACT. ...
    (Focus-IDS)
  • Re: ISS Proventia email overflow
    ... I took from a packet capture in the smtp portion of the packet ... In buffer overflow attacks, an attacker supplies data that is longer ... They are from a trusted mail server so its not being blocked. ...
    (Focus-IDS)
  • RE: Intrusion Prevention requirements document
    ... The tools consider one interface as "client" and other ... Packet 1 is first sent out on client interface. ... > my previous company was Blade Software where I developed IDS Informer ... Up to 75% of cyber attacks are launched on shopping carts, ...
    (Pen-Test)
  • Re: Smurf ,land attacks
    ... > Subject: AW: Smurf,land attacks ... > with "IP spoofing" you give a different source address to the packet. ... > Smurf is a DoS-Attack ...
    (Security-Basics)
  • Re: How to determine TCP/IP pack source IP spoofing?
    ... Maybe I don't have a concern -- if the packet is external and spoofed the ... I guess you might say I'm working on a bait and trap ... project or at the very least bait and identify (since most remote attacks ... seem to come from outside the US) before the drone can even start other ...
    (microsoft.public.windowsxp.security_admin)