Operating System - HP-UX
1823868 Members
4391 Online
109666 Solutions
New Discussion юеВ

sendmail " header field (possible attack)"

 
SOLVED
Go to solution
someone_4
Honored Contributor

sendmail " header field (possible attack)"

Apr 21 19:13:53 lvapp13 sendmail[11317]: h3M0Dq6s011308: Fixed MIME Content-Type
header field (possible attack)
Apr 21 19:31:08 lvapp13 sendmail[22238]: h3M0V76s022229: Fixed MIME Content-Type
header field (possible attack)
Apr 21 19:34:31 lvapp13 sendmail[24426]: h3M0YT6s024412: Fixed MIME Content-Type
header field (possible attack)
5 REPLIES 5
someone_4
Honored Contributor

Re: sendmail " header field (possible attack)"

sorry .. about that
I hit enter too fast.
I am seeing the above error in my syslog.
I an running sendmail 8.12.9 from source. I have not been able to find anything on sendmail.org about that error. Would any here happend to know what it mans?

Thanks
Richard
John Poff
Honored Contributor

Re: sendmail " header field (possible attack)"

Hi Richard,

It looks like sendmail used to have a bug during MIME
conversions which could allow the stack to be overwritten,
causing a buffer overflow and possible root priviliges for
an attacker. The newer versions of sendmail have been patched
to stop the MIME header attack and to warn you about possible
attacks. I'd suggest trying to look at the messages that
were coming in to see who they were from and what they
might have been sending you.

Take a look at this link:

http://lists.suse.com/archive/suse-security/2001-Feb/0297.html

JP
someone_4
Honored Contributor

Re: sendmail " header field (possible attack)"

Hi john
I am using 8.12.9
and I is supposed to be patched for everything.

Richard
John Poff
Honored Contributor

Re: sendmail " header field (possible attack)"

Hi,

I don't think it is a problem with not having a patch in your sendmail, it is just the opposite. You do have the patch in your sendmail and it is catching the bad MIME headers for you, and reporting it to your syslog.

I guess the real trick is to figure out what the bad headers are, and also who is sending them and why.

JP
Berlene Herren
Honored Contributor
Solution

Re: sendmail " header field (possible attack)"

It's a MIME header exploit that attempts to take advantage of a possible buffer overflow condition that existed in some older MTA software, whereby header
characters beyond the 256th could be written to memory. If those characters
contained executable code, it was possible to run a program of some sort.

Your sendmail truncated the header to 256 characters.

Berlene

(Tks Tony)
http://www.mindspring.com/~bkherren/dobes/index.htm