File: 100000170.txt

package info (click to toggle)
snort 2.7.0-20.4
  • links: PTS
  • area: main
  • in suites: lenny
  • size: 34,512 kB
  • ctags: 18,772
  • sloc: ansic: 115,404; sh: 10,893; makefile: 1,372; perl: 487; sql: 213
file content (61 lines) | stat: -rw-r--r-- 1,378 bytes parent folder | download | duplicates (6)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
Rule: 

--
Sid: 
100000170

-- 
Summary: 
This event is generated when an overly long Host: parameter is sent in an HTTP 
request, which will cause a buffer overflow to occur in the GFI MailSecurity 
for Exchange/SMTP web interface.

--
Impact:
A denial of service will occur in the vulnerable application, and remote code 
may be executed with the priviliges of the user running the application.

--
Detailed Information:
GFI MailSecurity for Exchange/SMTP is an anti-virus program that integrates 
with Microsoft Exchange servers. Its web interface is vulnerable to a buffer 
overflow attack, which may be triggered by sending a Host: parameter of 100 or 
more bytes in an HTTP request. Vulnerable versions of the application will 
crash, and code may be executed with the priviliges of the user running the 
program.

--
Affected Systems:
GFI MailSecurity for Exchange/SMTP 8.1

--
Attack Scenarios:
Attackers will likley exploit this with a script.

--
Ease of Attack:
Simple, as no authentication is required, and HTTP is a well-documented 
protocol, which allows for easy creation of malicious packets.

--
False Positives:
None known.

--
False Negatives:
None known.

--
Corrective Action:
Download and apply the patch referenced below.

--
Contributors:
rmkml
Sourcefire Research Team

--
Additional References
ftp://ftp.gfi.com/patches/MSEC8_PATCH_20050919_01.zip

--