[29165] in bugtraq
Re: sendmail 8.12.8 available
daemon@ATHENA.MIT.EDU (Nico Erfurth)
Tue Mar 4 14:45:24 2003
Message-ID: <3E64E0A9.5060903@perlgolf.de>
Date: Tue, 04 Mar 2003 18:21:45 +0100
From: Nico Erfurth <masta@perlgolf.de>
MIME-Version: 1.0
To: Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE>
In-Reply-To: <871y1o2wg6.fsf@Login.CERT.Uni-Stuttgart.DE>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Florian Weimer wrote:
> Claus Assmann <ca+bugtraq@sendmail.org> writes:
>
>
>>Sendmail, Inc., and the Sendmail Consortium announce the availability
>>of sendmail 8.12.8. It contains a fix for a critical security
>>problem discovered by Mark Dowd of ISS X-Force; we thank ISS X-Force
>>for bringing this problem to our attention. Sendmail urges all users to
>>either upgrade to sendmail 8.12.8 or apply the patch for 8.12 that
>>is part of this announcement.
>
>
> Would people be willing to share filter rules for other MTAs to block
> offending messages on relays?
>
> Thanks,
I'm not sure how the exploit works, but if I understood the LSD-analysis
correctly, it uses the comment for the payload, and needs many <> in a
parsed header. With exim4, this ACL should/could help.
First it checks for the header-syntax, that will reject the <><><><>
used in the LSD-POC-code. The second condition should refuse to accept
comments longer than 20 chars.
acl_data = check_message
check_message:
require message = Invalid header syntax (Maybe sendmail exploit)
verify = header_syntax
deny message = Ohh, this looks like the sendmail-exploit
condition = ${if match {$h_from: $h_cc: $h_bcc: $h_reply_to: \
$h_sender: $h_to:} {\N\(.{21,}?\)\N}{1}{0}}
No warranty ;)
Nico Erfurth
