Florian Weimer wrote:
> Claus Assmann <ca+bugtraq (at) sendmail (dot) org [email concealed]> writes:
>
>
>>Sendmail, Inc., and the Sendmail Consortium announce the availability
>>of sendmail 8.12.8. It contains a fix for a critical security
>>problem discovered by Mark Dowd of ISS X-Force; we thank ISS X-Force
>>for bringing this problem to our attention. Sendmail urges all users to
>>either upgrade to sendmail 8.12.8 or apply the patch for 8.12 that
>>is part of this announcement.
>
>
> Would people be willing to share filter rules for other MTAs to block
> offending messages on relays?
>
> Thanks,

I'm not sure how the exploit works, but if I understood the LSD-analysis
correctly, it uses the comment for the payload, and needs many <> in a
parsed header. With exim4, this ACL should/could help.

First it checks for the header-syntax, that will reject the <><><><>
used in the LSD-POC-code. The second condition should refuse to accept
comments longer than 20 chars.

acl_data = check_message

check_message:
require message = Invalid header syntax (Maybe sendmail exploit)
verify = header_syntax
deny message = Ohh, this looks like the sendmail-exploit
condition = ${if match {$h_from: $h_cc: $h_bcc: $h_reply_to: $h_sender: $h_to:} {\N\(.{21,}?\)\N}{1}{0}}

No warranty ;)

Nico Erfurth

[ reply ]