SMTP: RCPT TO "decode"

This signature detects attempts to send shell commands through an SMTP e-mail message by exploiting the "decode" e-mail alias vulnerability. Attackers can use the invalid "rcpt to decode" as the "rcpt to" e-mail address to cause Sendmail to reroute data to the program uudecode. Attackers can then send uuencoded data to overwrite files or place an arbitrary .rhosts files onto the system.

Extended Description

A vulnerability in Eric Allman's Sendmail prior to version 8.6.10 (and any versions based on 5.x) can be exploited to gain root access on the affected machine. This vulnerability involves sending invalid "mail from" and "rcpt to" addresses that cause sendmail to inappropriately redirect data to another program.

Affected Products

Eric_allman sendmail

References

BugTraq: 2308

CVE: CVE-1999-0096

URL: http://www.networkice.com/Advice/Intrusions/2001013/default.htm http://www.iss.net/security_center/advice/Services/E-Mail/Sendmail/default.htm http://www.ciac.org/ciac/bulletins/a-14.shtml

Short Name

SMTP:EMAIL:RCPT-TO-DECODE

Severity

Major

Recommended

False

Recommended Action

Drop

SMTP: RCPT TO "decode"

Extended Description

Affected Products

References

Found a potential security threat?