[wietse na porcupine.org: header_checks REJECT rule for sendmail exploit]

[Peter Mann]

----- Forwarded message from Wietse Venema <wietse na porcupine.org> -----

From: wietse na porcupine.org (Wietse Venema)
To: Postfix users <postfix-users na postfix.org>
Subject: header_checks REJECT rule for sendmail exploit
Date: Tue, 4 Mar 2003 11:46:33 -0500 (EST)
Cc: Postfix announce <postfix-announce na postfix.org>
X-Mailer: ELM [version 2.4ME+ PL82 (25)]

The header_checks pattern described below stops a recently posted
Sendmail buffer overflow exploit.

The exploit in question involves a sequence of <> character pairs.
Sendmail increments a buffer limit pointer when it finds '>' as
part of a correctly formatted email address in a message header.
This is a problem because Sendmail never decremented the buffer
limit pointer when it found the corresponding '<'. Thus, enough <>
pairs may cause Sendmail to write past the end of a fixed-length
(256 byte) buffer. This buffer is in static memory.

To activate the header_checks pattern, use regexp tables if your
system does not support PCRE tables. See "postconf -m" output to
find out what lookup tables are supported.

/etc/postfix/main.cf:
    # Specify either regexp or pcre. pcre is usually faster.
    header_checks = regexp:/etc/postfix/header_checks
    header_checks = pcre:/etc/postfix/header_checks

/etc/postfix/header_checks:
    # Presumed exploit for http://www.cert.org/advisories/CA-2003-07.html
    /<><><><><><>/ reject possible CA-2003-07 sendmail buffer overflow exploit

Note: Postfix versions before 1.1 do not support text after "reject".

If you install this filter on a gateway machine, then the gateway
can protect internal Sendmail systems against mail from outside
that attempts to exploit this specific vulnerability.

	Wietse

----- End forwarded message -----

-- 

5o   Peter.Mann at tuke.sk
     KLFMANiK ICQ 12491471
         PM2185-RIPE