As it turns out, there are two "Exploit Signatures" that both point to
this.
The following information is quoted from Cisco's Network Security Database.
The first is Q-Mail Length Crash, ID: 3109 - Description: This signature
triggers when an attempt is made to pass an overly long command string to a
mail server.
The second is Qmail Command Length Crash, ID: 1421 - Description: If a
remote attacker passes an overly long command string or list of recipients,
the qmail server will crash due to utilization of all memory resources.
Thank You for your responses, it has been a great help.
Stephen Cook
Ontario Lottery and Gaming Corporation
Charles Cazabon
<[EMAIL PROTECTED] To: [EMAIL PROTECTED]
yndns.org> cc:
Subject: Re: qmail length crash
08/17/01 02:04 PM
[EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
>
> I have recently been thrown into the qmail administrators position. I
have
> spent the last three weeks reading "LWQ" along with anything else I can
> locate. I still do not know a lot, but I'm learning.
Welcome; doing your homework is definitely the right way to get started.
> We have a Cisco Intrusion Detection System (IDS) that continuously
reports
> qmail length crash events.
As others have noted, it's likely a false positive. Does your IDS
specifically identify this as a qmail problem, or just a generic
smtpd/MTA problem? qmail has no buffer overflow problems in its smtpd,
and the recommended install uses softlimit/ulimit to limit the amount of
memory that qmail-smtpd can take up during message injection.
If Cisco is claiming a particular qmail vulnerability, they've bought
into some incorrect slander about qmail, and should be corrected.
Charles
--
-----------------------------------------------------------------------
Charles Cazabon <[EMAIL PROTECTED]>
GPL'ed software available at: http://www.qcc.sk.ca/~charlesc/software/
-----------------------------------------------------------------------
