Florian Weimer wrote:
I'm not sure how the exploit works, but if I understood the LSD-analysis correctly, it uses the comment for the payload, and needs many <> in a parsed header. With exim4, this ACL should/could help.Claus Assmann <ca+bugtraq@sendmail.org> writes:Sendmail, Inc., and the Sendmail Consortium announce the availability of sendmail 8.12.8. It contains a fix for a critical security problem discovered by Mark Dowd of ISS X-Force; we thank ISS X-Force for bringing this problem to our attention. Sendmail urges all users to either upgrade to sendmail 8.12.8 or apply the patch for 8.12 that is part of this announcement.Would people be willing to share filter rules for other MTAs to block offending messages on relays? Thanks,
First it checks for the header-syntax, that will reject the <><><><> used in the LSD-POC-code. The second condition should refuse to accept comments longer than 20 chars.
acl_data = check_message
check_message:
require message = Invalid header syntax (Maybe sendmail exploit)
verify = header_syntax
deny message = Ohh, this looks like the sendmail-exploit
condition = ${if match {$h_from: $h_cc: $h_bcc: $h_reply_to: \
$h_sender: $h_to:} {\N\(.{21,}?\)\N}{1}{0}}
No warranty ;)
Nico Erfurth
