[Dshield] Metamail exploit

Scott Lockington SLockington at vical.com
Tue Dec 6 17:25:05 GMT 2005


Hello, 

We've been seeing as of yesterday afternoon 100+ alerts from our Fortigate
IPS for older (2004) Metamail exploits.  We run McAfee Webshield E250 3.0 as
a mail hand off host to our internal Exchange server, but I can't find from
McAfee's website what SMTP application their product uses, so I can't even
tell if we are vulnerable.  Here are some of the alerts, seems mostly from
webmail and mailing-list IPs.  Sorry no packet captures, I more want to know
if anyone knows the SMTP that McAfee uses (E250 runs on RedHat 7.0)  to know
if we are vulnerable.  I assume sendmail, but I don't like at assume we're
secure I like to know.

Thanks

Message meets Alert condition
The following intrusion was observed: "smtp:
Metamail.SMTP.Subject.Buffer.Overflow.B [Reference:
http://www.fortinet.com/ids/ID102498358]".@
<http://www.fortinet.com/ids/ID102498358]> 
2005-12-05 13:18:21 device_id=xxxxxxxxxxxxxx log_id=0420070000 type=ips
subtype=signature pri=alert attack_id=102498358 src=66.80.13.30 dst=10.x.x.x
src_port=53727 dst_port=25 src_int=port2 dst_int=port1 status=detected
proto=6 service=smtp msg="smtp: Metamail.SMTP.Subject.Buffer.Overflow.B
[Reference: http://www.fortinet.com/ids/ID102498358]"

Message meets Alert condition
The following intrusion was observed: "smtp:
Metamail.SMTP.From.Buffer.Overflow.A [Reference:
http://www.fortinet.com/ids/ID102498357]".
2005-12-06 06:35:17 device_id=xxxxxxxxxxx log_id=0420070000 type=ips
subtype=signature pri=alert attack_id=102498357 src=64.12.137.3 dst=10.x.x.x
src_port=34690 dst_port=25 src_int=port2 dst_int=port1 status=detected
proto=6 service=smtp msg="smtp: Metamail.SMTP.From.Buffer.Overflow.A
[Reference: http://www.fortinet.com/ids/ID102498357]" 

Message meets Alert condition
The following intrusion was observed: "smtp:
Metamail.SMTP.Subject.Buffer.Overflow.B, repeated 3 times [Reference:
http://www.fortinet.com/ids/ID102498358]".
2005-12-06 04:42:59 device_id=xxxxxxxxxxxxxx log_id=0420070000 type=ips
subtype=signature pri=alert attack_id=102498358 src=66.163.179.100
dst=10.x.x.x src_port=28902 dst_port=25 src_int=port2 dst_int=port1
status=detected proto=6 service=smtp msg="smtp:
Metamail.SMTP.Subject.Buffer.Overflow.B, repeated 3 times [Reference:
http://www.fortinet.com/ids/ID102498358]" 

Message meets Alert condition
The following intrusion was observed: "smtp:
Metamail.SMTP.From.Buffer.Overflow.A, repeated 3 times [Reference:
http://www.fortinet.com/ids/ID102498357]".
2005-12-06 04:42:58 device_id=xxxxxxxxxxxxxx log_id=0420070000 type=ips
subtype=signature pri=alert attack_id=102498357 src=66.163.179.100
dst=10.x.x.x src_port=28902 dst_port=25 src_int=port2 dst_int=port1
status=detected proto=6 service=smtp msg="smtp:
Metamail.SMTP.From.Buffer.Overflow.A, repeated 3 times [Reference:
http://www.fortinet.com/ids/ID102498357]" 



J. Scott Lockington
Network Security Technician
SCNP, Security +
Phone: 858-646-1113
Cell: 858-967-5413




More information about the list mailing list