Esetleg ha valakit érdekel... --------- Eredeti üzenet --------- Tárgy: header_checks REJECT rule for sendmail exploit Dátum: Tue, 4 Mar 2003 11:46:33 -0500 (EST) Feladó: wietse@porcupine.org (Wietse Venema) To: Postfix users <postfix-users@postfix.org> CC: Postfix announce <postfix-announce@postfix.org> The header_checks pattern described below stops a recently posted Sendmail buffer overflow exploit. The exploit in question involves a sequence of <> character pairs. Sendmail increments a buffer limit pointer when it finds '>' as part of a correctly formatted email address in a message header. This is a problem because Sendmail never decremented the buffer limit pointer when it found the corresponding '<'. Thus, enough <> pairs may cause Sendmail to write past the end of a fixed-length (256 byte) buffer. This buffer is in static memory. To activate the header_checks pattern, use regexp tables if your system does not support PCRE tables. See "postconf -m" output to find out what lookup tables are supported. /etc/postfix/main.cf: # Specify either regexp or pcre. pcre is usually faster. header_checks = regexp:/etc/postfix/header_checks header_checks = pcre:/etc/postfix/header_checks /etc/postfix/header_checks: # Presumed exploit for http://www.cert.org/advisories/CA-2003-07.html /<><><><><><>/ reject possible CA-2003-07 sendmail buffer overflow exploit Note: Postfix versions before 1.1 do not support text after "reject". If you install this filter on a gateway machine, then the gateway can protect internal Sendmail systems against mail from outside that attempts to exploit this specific vulnerability. Wietse