[Esd-l] Detection rule for sendmail header exploit

John D. Hardin jhardin at impsec.org
Fri Mar 7 06:49:13 PST 2003 

On Fri, 7 Mar 2003, daniel lance herrick wrote:

> On Thu, 6 Mar 2003, John D. Hardin wrote:
> 
> > * ^(From|To|CC|Reply-To|Resent-From): .*<>.*<>.*<>.*<>.*<>.*\(.*\)
> 
> Anyway, everytime someone copies the above line
> into the list, I spend a bit of time trying to
> make sense of it....
> 
> What I see is a pattern that matches exactly five
> (not three, not six) empty addresses enclosed in
> angle brackets and separated by anything

Note that ".*" will match "<>", so the above expression matches five
<> separated by anything and preceded and followed by anything -
including more <> pairs.

I am assuming that more than one empty address "<>" in those headers
is never going to appear in a valid message; looking for five is just
increasing the "slop factor" in that assumption to reduce false
positives. If you were more paranoid you could up that to 20 or 30
pairs. Any exploit will probably require more than a hundred pairs to
tickle the bug.
 
> followed by a comment marked by (at least) an open parenthesis.

Followed by anything within parenthesis. The ending parenthesis is
there in the RE. This may be a weakness, see below.

> Is the signature of the vulnerability really five
> empty addresses followed by a comment? Or am I
> just completely misunderstanding the rule above?

The signature in the published exploit is 138 empty <> pairs, followed
by a 28-byte binary exploit in parentheses. The general form is enough
<> pairs to push the buffer-size variable past the actual end of the
buffer, followed by the exploit within an RFC822 comment.

Other exploits may have more <> pairs, may have garbage between the <>
pairs to try to avoid pattern-matching traps (e.g.
<>fnord<>fnord<>fnord<>), and will probably have a longer exploit than
the one posted this week.

There are two possible weaknesses in the above RE:

1) that the <> pairs can be non-empty and the exploit still works, and

2) that the comment can be unterminated - no trailing ) - and the
exploit still works.

Anybody care to play around with the published exploit to test these
cases, and report the results?

--
 John Hardin KA7OHZ    ICQ#15735746    http://www.impsec.org/~jhardin/
 jhardin at impsec.org                        pgpk -a jhardin at impsec.org
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
 ...voice or no voice, the people can always be brought to the bidding
 of the leaders. That is easy. All you have to do is tell them they
 are being attacked and denounce the pacifists for lack of patriotism
 and exposing the country to danger. It works the same way in any
 country.
                                            -- Hermann Goering
-----------------------------------------------------------------------
   76 days until The Matrix Reloaded

More information about the esd-l mailing list