GEN:SID 1:670
Message SMTP sendmail 8.6.9 exploit
Summary This event is generated when an external attacker attempts to use a specific exploit against Sendmail that allows the attacker to execute remote commands on the server, and to email files from the server to a remote email account.
Impact Severe. Remote execution of arbitrary code, possibly leading to remote root compromise, or at the very least, information disclosure.
Detailed Information Sendmail 8.6.9 and earlier contain a vulnerability related to the parsing of commands passed from ident to Sendmail. An attacker can use a specific exploit to send a message through the mail server. The message is not properly parsed and Sendmail forwards the response, with included commands, to its queue. The commands are then executed while the message awaits delivery in the Sendmail queue, causing the included arbitrary code to be executed on the server in the security context of Sendmail. The exploit in question allows the attacker to execute commands to email files from the server to a remote email account.
Affected Systems Systems running unpatched versions of Sendmail 8.6.9 or earlier.
Attack Scenarios An attacker sends an email generated by the exploit, and customizes it to mail the server's password file to a remote email account. The attacker then cracks the passwords in the password file and is able to access the server directly.
Ease of Attack Simple. An exploit exists.
Corrective Action Upgrade to Sendmail 8.6.10 or higher.
Additional References CVE
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0204

Bugtraq
http://www.securityfocus.com/bid/2311
Rule References arachnids: 139
bugtraq: 2311
cve: 1999-0204