663.txt

snort入侵检测规则文件2.4 Snort是众所周知的网络入侵检测工具

Rule:

--
Sid:
663

--
Summary:
This event is generated when the string "|sed -e '1,/^$/'" is found in the payload of a packet sent to a Sendmail server.  This may be an attempt to exploit a problem in older versions of Sendmail. 

--
Impact:
Attempted administrator access.  A successful attack can allow remote execution of commands at the privilege level of Sendmail, usually root.

--
Detailed Information:
A vulnerability exists in older versions of Sendmail associated with the debug mode.  Malformed text specifying the recipient could be a command that would execute at the privilege level of Sendmail, often times root.  The "sed" command is used to strip off the mail headers before executing the supplied command.  This vulnerability was exploited by the Morris worm.

--
Affected Systems:
Sendmail versions prior to 5.5.9.

--
Attack Scenarios:
An attacker can craft a recipient name that is a command. This command executes arbitrary code on the server. 

--
Ease of Attack:
Easy.  An attacker can telnet to port 25 of a vulnerable server, enter debug mode, and craft a malicious recipient containing a command to be executed.

--
False Positives:
It is possible that this event may be generated by text in the DATA section of a pipelined SMTP transaction.

--
False Negatives:
This rule generates an event based on a specific string in the packet payload.  An attacker could craft payloads with other malicious commands.

--
Corrective Action:
Upgrade to Sendmail version 5.5.9 or higher.

--
Contributors:
Original rule written by Max Vision <vision@whitehats.com>
Modified by Brian Caswell <bmc@sourcefire.com>
Sourcefire Research Team
Judy Novak <judy.novak@sourcefire.com>
Nigel Houghton <nigel.houghton@sourcefire.com>

--
Additional References:

Bugtraq:
http://www.securityfocus.com/bid/1

CVE:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0095

Arachnids:
http://www.whitehats.com/info/IDS172


--