[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-Disclosure] TCP port 25 traffic?
- To: full-disclosure@lists.netsys.com
- Subject: Re: [Full-Disclosure] TCP port 25 traffic?
- From: Matthias Wabersich <ssy@niafc.de>
- Date: Sun, 17 Aug 2003 17:00:44 +0200
On Sat, 16 Aug 2003 15:45:09 -0700
Josh Karp <josh.karp@visionael.com> wrote:
> I've seen an unusual amount of connection attempts to TCP port 25 on a
> particular system in my network as of the past 48 hours or so. It's only
> this one system, and it's multiple source IP's. Is there anything new for
> SMTP?
>
> Thanks for any info... josh
>
Hello all,
first post on this list *sigh*.
German RUS-CERT of University of Stuttgart stated on Thu, 14 August that there is a flaw in Exim (Ver. 3.x and 4.x up to 4.20). Version 4.21 is not affected. In these versions it is possible to overflow a buffer using the HELO or EHLO command.
Confirming to the post the buffer can only be overwritten with constant data that is not given by the attacker. So an exploitation of this flaw is unlikely.
You can use these patches to fix up the flaw:
http://www.exim.org/pipermail/exim-users/Week-of-Mon-20030811/057720.html
If you are capable of reading german, here is the original post:
http://CERT.Uni-Stuttgart.DE/ticker/article.php?mid=1133
As stated earlier, it is unlikely that this flaw can be exploited, but one never knows. I could not confirm any odd behaviour of exim since I am using vendor-provided versions which obviously are not affected.
Greetings,
M.W.
(apologize my bad english if you find it to be so)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html