Re: Real-world attacks on sendmail CA-2003-07 seen

From: Curt Wilson (netw3_security@hushmail.com)
Date: 03/10/03

Next message: SB CH: "against illegal arp update"

Previous message: Curt Wilson: "Bypassing Black Ice PC protection?"
Maybe in reply to: Bennett Todd: "Real-world attacks on sendmail CA-2003-07 seen"
Next in thread: jlewis@lewis.org: "Re: Real-world attacks on sendmail CA-2003-07 seen"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 10 Mar 2003 00:52:52 -0800
To: incidents@securityfocus.com, bet@rahul.net
From: "Curt Wilson" <netw3_security@hushmail.com>

-----BEGIN PGP SIGNED MESSAGE-----

Could "actively exploited" only mean that someone has compiled the LSD code and is launching attacks in an attempt to find a vulnerable systems? I'm guessing (without having tried it yet) that the exploit code, even when directed at a non-vulnerable system, may trigger the log alert that the patch added to sendmail. Of course it would not be too hard for a decent coder to modify the exploit or write their own.

If anyone actally detects a successful exploitation from this type of sendmail attack, for instance on one of your honeypot systems, please publicize any packet captures, tools, and any other data received in the process. I will check my own sendmail logs and see if I can come up with anything interesting on this front.

Curt Wilson

On Fri, 07 Mar 2003 09:37:13 -0800 Bennett Todd <bet@rahul.net> wrote:
>Just a heads-up everyone, the sendmail header parsing buffer
>overflow announced this last Monday, as (among other things) CERT
>CA-2003-07[1] is now being actively exploited on the internet.
>
>We logged received msgs that triggered the truncator code this
>morning at about 3 in the morning, US/Eastern; three different
>attacks spread over two different MX hosts.
>

Curt R. Wilson
Netw3 Security
www.netw3.com
-----BEGIN PGP SIGNATURE-----
Version: Hush 2.2 (Java)
Note: This signature can be verified at https://www.hushtools.com/verify

wmMEARECACMFAj5sUZMcHG5ldHczX3NlY3VyaXR5QGh1c2htYWlsLmNvbQAKCRBGd/Yw
aRH3K3qCAKCSoG5ycdvkiOuP6lHWd9dMENzTwQCdEWdmTcZd0px52BmDK6GXAWdJmbE=
=myz5
-----END PGP SIGNATURE-----

----------------------------------------------------------------------------

<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>

Next message: SB CH: "against illegal arp update"

Previous message: Curt Wilson: "Bypassing Black Ice PC protection?"
Maybe in reply to: Bennett Todd: "Real-world attacks on sendmail CA-2003-07 seen"
Next in thread: jlewis@lewis.org: "Re: Real-world attacks on sendmail CA-2003-07 seen"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]