670.txt

snort入侵检测规则文件2.4 Snort是众所周知的网络入侵检测工具

Rule:

--
Sid:
670

--
Summary:
This event is generated when an external attacker attempts to use a specific exploit against Sendmail that allows the attacker to execute remote commands on the server, and to email files from the server to a remote email account.

--
Impact:
Severe. Remote execution of arbitrary code, possibly leading to remote root compromise, or at the very least, information disclosure. 

--
Detailed Information:
Sendmail 8.6.9 and earlier contain a vulnerability related to the parsing of commands passed from ident to Sendmail. An attacker can use a specific exploit to send a message through the mail server. The message is not properly parsed and Sendmail forwards the response, with included commands, to its queue. The commands are then executed while the message awaits delivery in the Sendmail queue, causing the included arbitrary code to be executed on the server in the security context of Sendmail. The exploit in question allows the attacker to execute commands to email files from the server to a remote email account.

--
Affected Systems:
Systems running unpatched versions of Sendmail 8.6.9 or earlier.

--
Attack Scenarios:
An attacker sends an email generated by the exploit, and customizes it to mail the server's password file to a remote email account. The attacker then cracks the passwords in the password file and is able to access the server directly.

--
Ease of Attack:
Simple. An exploit exists.

--
False Positives:
None known.

--
False Negatives:
None known.

--
Corrective Action:
Upgrade to Sendmail 8.6.10 or higher.

--
Contributors:
Original rule written by Max Vision <vision@whitehats.com>
Modified by Brian Caswell <bmc@sourcefire.com>
Sourcefire Research Team
Sourcefire Technical Publications Team
Jen Harvey <jennifer.harvey@sourcefire.com>

--
Additional References:
CVE
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0204

Bugtraq
http://www.securityfocus.com/bid/2311

--