HPE Community
Operating System - HP-UX
1824065 Members
2817 Online
109668 Solutions
New Discussion юеВ

sendmail " header field (possible attack)"

 
SOLVED
Go to solution
someone_4
Honored Contributor

тАО04-21-2003 04:42 PM

тАО04-21-2003 04:42 PM

sendmail " header field (possible attack)"

Apr 21 19:13:53 lvapp13 sendmail[11317]: h3M0Dq6s011308: Fixed MIME Content-Type
header field (possible attack)
Apr 21 19:31:08 lvapp13 sendmail[22238]: h3M0V76s022229: Fixed MIME Content-Type
header field (possible attack)
Apr 21 19:34:31 lvapp13 sendmail[24426]: h3M0YT6s024412: Fixed MIME Content-Type
header field (possible attack)
0 Kudos
Reply
5 REPLIES 5
someone_4
Honored Contributor

тАО04-21-2003 04:43 PM

тАО04-21-2003 04:43 PM

Re: sendmail " header field (possible attack)"

sorry .. about that
I hit enter too fast.
I am seeing the above error in my syslog.
I an running sendmail 8.12.9 from source. I have not been able to find anything on sendmail.org about that error. Would any here happend to know what it mans?

Thanks
Richard
0 Kudos
Reply
John Poff
Honored Contributor

тАО04-21-2003 06:03 PM

тАО04-21-2003 06:03 PM

Re: sendmail " header field (possible attack)"

Hi Richard,

It looks like sendmail used to have a bug during MIME
conversions which could allow the stack to be overwritten,
causing a buffer overflow and possible root priviliges for
an attacker. The newer versions of sendmail have been patched
to stop the MIME header attack and to warn you about possible
attacks. I'd suggest trying to look at the messages that
were coming in to see who they were from and what they
might have been sending you.

Take a look at this link:

http://lists.suse.com/archive/suse-security/2001-Feb/0297.html

JP
0 Kudos
Reply
someone_4
Honored Contributor

тАО04-22-2003 07:04 AM

тАО04-22-2003 07:04 AM

Re: sendmail " header field (possible attack)"

Hi john
I am using 8.12.9
and I is supposed to be patched for everything.

Richard
0 Kudos
Reply
John Poff
Honored Contributor

тАО04-22-2003 08:01 AM

тАО04-22-2003 08:01 AM

Re: sendmail " header field (possible attack)"

Hi,

I don't think it is a problem with not having a patch in your sendmail, it is just the opposite. You do have the patch in your sendmail and it is catching the bad MIME headers for you, and reporting it to your syslog.

I guess the real trick is to figure out what the bad headers are, and also who is sending them and why.

JP
Reply
Berlene Herren
Honored Contributor

тАО04-22-2003 10:45 AM

тАО04-22-2003 10:45 AM

Solution

Re: sendmail " header field (possible attack)"

It's a MIME header exploit that attempts to take advantage of a possible buffer overflow condition that existed in some older MTA software, whereby header
characters beyond the 256th could be written to memory. If those characters
contained executable code, it was possible to run a program of some sort.

Your sendmail truncated the header to 256 characters.

Berlene

(Tks Tony)
http://www.mindspring.com/~bkherren/dobes/index.htm
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.