[zorp-hu] [Fwd: header_checks REJECT rule for sendmail exploit]
narancs
zorp-hu@lists.balabit.hu
Wed, 05 Mar 2003 10:49:25 +0100
Esetleg ha valakit =E9rdekel...
--------- Eredeti =FCzenet ---------
T=E1rgy: header_checks REJECT rule for sendmail exploit
D=E1tum: Tue, 4 Mar 2003 11:46:33 -0500 (EST)
Felad=F3: wietse@porcupine.org (Wietse Venema)
To: Postfix users <postfix-users@postfix.org>
CC: Postfix announce <postfix-announce@postfix.org>
The header_checks pattern described below stops a recently posted
Sendmail buffer overflow exploit.
The exploit in question involves a sequence of <> character pairs.
Sendmail increments a buffer limit pointer when it finds '>' as
part of a correctly formatted email address in a message header.
This is a problem because Sendmail never decremented the buffer
limit pointer when it found the corresponding '<'. Thus, enough <>
pairs may cause Sendmail to write past the end of a fixed-length
(256 byte) buffer. This buffer is in static memory.
To activate the header_checks pattern, use regexp tables if your
system does not support PCRE tables. See "postconf -m" output to
find out what lookup tables are supported.
/etc/postfix/main.cf:
# Specify either regexp or pcre. pcre is usually faster.
header_checks =3D regexp:/etc/postfix/header_checks
header_checks =3D pcre:/etc/postfix/header_checks
/etc/postfix/header_checks:
# Presumed exploit for http://www.cert.org/advisories/CA-2003-07.html
/<><><><><><>/ reject possible CA-2003-07 sendmail buffer overflow ex=
ploit
Note: Postfix versions before 1.1 do not support text after "reject".
If you install this filter on a gateway machine, then the gateway
can protect internal Sendmail systems against mail from outside
that attempts to exploit this specific vulnerability.
Wietse