Signature Detail

Short Name	SMTP:EMAIL:RCPT-TO-DECODE
Severity	High
Recommended	No
Recommended Action	Drop
Category	SMTP
Keywords	RCPT TO "decode"
Release Date	2003/04/22
Update Number	1213
Supported Platforms	di-5.3+, idp-4.0+, isg-3.0+, j-series-9.5+, mx-9.4+, srx-9.2+, srx-branch-9.4+, vsrx-12.1+

SMTP: RCPT TO "decode"

This signature detects attempts to send shell commands through an SMTP e-mail message by exploiting the "decode" e-mail alias vulnerability. Attackers can use the invalid "rcpt to decode" as the "rcpt to" e-mail address to cause Sendmail to reroute data to the program uudecode. Attackers can then send uuencoded data to overwrite files or place an arbitrary .rhosts files onto the system.

Extended Description

A vulnerability in Eric Allman's Sendmail prior to version 8.6.10 (and any versions based on 5.x) can be exploited to gain root access on the affected machine. This vulnerability involves sending invalid "mail from" and "rcpt to" addresses that cause sendmail to inappropriately redirect data to another program.

Affected Products

Eric Allman Sendmail 5.58.0
Eric Allman Sendmail 5.59.0

References

BugTraq: 2308
CVE: CVE-1999-0096
URL: http://www.networkice.com/Advice/Intrusions/2001013/default.htm
URL: http://www.iss.net/security_center/advice/Services/E-Mail/Sendmail/default.htm
URL: http://www.ciac.org/ciac/bulletins/a-14.shtml

Signature Detail

Short Name

Severity

Recommended

Recommended Action

Category

Keywords

Release Date

Update Number

Supported Platforms

SMTP: RCPT TO "decode"

Extended Description

Affected Products

References