[Esd-l] RE: Detection rule for sendmail header exploit
John D. Hardin
jhardin at impsec.org
Mon Mar 10 19:42:13 PST 2003
On Mon, 10 Mar 2003, Mike Loiterman wrote:
> Actually, I was referring to your comment in one of the last
> digests. This doesn't seem to be incorporated in the file from
> 3/5/03:
>
> > Another point to note is that the RE should begin with the
> > following in order to trap all headers for which sendmail is
> > vulnerable:
> >
> > * ^((resent-)?(sender|from|(reply-)?to|cc|bcc)\
> > |(errors|disposition-notification|apparently)-to):
>
> Thanks! I've incorporated that.
>
> Is this an additional part to the sendmail exploit rule, or is
> this for something else?
No, the sendmail exploit rule was altered to imcorporate the above RE.
The local-rules file on the website (NOT the example in the
documentation) includes these changes. I just verified that now. It's
dated 3/8/2003.
--
John Hardin KA7OHZ ICQ#15735746 http://www.impsec.org/~jhardin/
jhardin at impsec.org pgpk -a jhardin at impsec.org
key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
...voice or no voice, the people can always be brought to the bidding
of the leaders. That is easy. All you have to do is tell them they
are being attacked and denounce the pacifists for lack of patriotism
and exposing the country to danger. It works the same way in any
country.
-- Hermann Goering
-----------------------------------------------------------------------
73 days until The Matrix Reloaded
More information about the esd-l
mailing list