[Esa-l] Detection rule for sendmail header exploit

John D. Hardin jhardin at impsec.org
Wed Mar 5 07:00:31 PST 2003


Someone has posted a sample exploit for the sendmail header-parsing
bug. No doubt a worm is about a week away now. Warm up your SMTP

Here is a rule which may trap some versions of the attack:

# Attempt to trap sendmail header exploit (signature as of 03/05/3003)
* ^(From|To|CC|Reply-To|Resent-From): .*<>.*<>.*<>.*<>.*<>.*\(.*\)
| formail -A "X-Content-Security: [$HOST] NOTIFY" \
	  -A "X-Content-Security: [$HOST] QUARANTINE" \
	  -A "X-Content-Security: [$HOST] REPORT: Trapped possible
sendmail header exploit"

Sanitizer users should add this into their local-rules ruleset (see
the documentation page about that).

Others should change the formail command to whatever you deem
appropriate for dealing with a possible attack message. I do not
recommend saving it straight to /dev/null.

Note that this will not, of course, protect a vulnerable sendmail on
the system where it's installed, as the exploit happens before
procmail gets a crack at the message. However, you probably do want to
use this to scan relayed mail and outbound mail so that possibly
vulnerable MTAs further on are protected.

See http://www.impsec.org/email-tools/procmail-on-gateway.txt for one
way to run relayed mail through procmail.

Sanitizer home page:


 John Hardin KA7OHZ    ICQ#15735746    http://www.impsec.org/~jhardin/
 jhardin at impsec.org                        pgpk -a jhardin at impsec.org
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
 ...voice or no voice, the people can always be brought to the bidding
 of the leaders. That is easy. All you have to do is tell them they
 are being attacked and denounce the pacifists for lack of patriotism
 and exposing the country to danger. It works the same way in any
                                            -- Hermann Goering
   78 days until The Matrix Reloaded

More information about the esa-l mailing list