[Dshield] Well, there they are -- exploits for latest Microsoft vulnerabilities

Frank Knobbe frank at knobbe.us
Fri Oct 14 02:05:12 GMT 2005


On Fri, 2005-10-14 at 01:02 +0000, Fergie (Paul Ferguson) wrote:
> Microsoft Collaboration Data Objects Buffer Overflow PoC Exploit (MS05-048)
> http://www.frsirt.com/exploits/20051013.ms05-048.c.php
> 
> Only the MS05-048 is considered to be "high risk", but word to
> the wise...

It also appears to be the easiest mitigated. Just have your mail relays
remove or replace the "Content-Class:" header line and you should be
safe.

If your mail relay/server doesn't support replacement (most *nix ones
do), you can always stick a *nix box in line before your mail gateway
and use NetSED to replace the Content-Class header. Alternatively, use
Snort-Inline with a replacement rule like this:

alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"Content-Class
replacement"; content:"content-class:"; nocase;
replace:"X-Contentclas:";)

I'm not sure if NetSED supports bridging, but I don't see why not. So a
drop-in should be fairly easy.


Cheers,
Frank

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
Url : http://www.dshield.org/pipermail/list/attachments/20051013/19d1f156/attachment.bin


More information about the list mailing list