IDS mailing list archives
RE: 7-ZIP ARJ Archive Processing stack overflow - Is there any role for Network IPS?
From: "Oleg Kolesnikov x 133" <okolesnikov () toplayer com>
Date: Thu, 15 Mar 2007 18:06:34 -0400
Hello,
Which security solutions are expected to catch these kinds of attacks?
NIPS and HIPS. O# on a tangent, the vulnerability is in a fixed stack-based buffer of ~2.5k allocated for one of the values extracted from the ARJ file header. Kernel32.Readfile() is then used to load the buffer. To illustrate, a HIPS should be able to stop the attack with a canary/integrity check. A generic behaviour-based HIPS should also be able to detect the attack for payloads that do not involve mimicry. There are fewer options with NIPS, but there are things that can be done to provide protection (see below).
It seems that NIPS/NIDS solution typically check for buffer overflow attacks at protocol level, but not at the file/archive level. If so, is it fair to assume that only security solutions running, on the client machine, catchthese kjinds of attacks. Any insight is appreciated.
Not exactly. Many modern NIPS do provide protection against this and other client-side attacks. In this particular case, it is sufficient to parse local ARJ file headers checking for an overly large local header size. Sincerely, Oleg Kolesnikov Director of Security Research TopLayer, Inc. -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]On Behalf Of Surya Batchu Sent: Thursday, March 15, 2007 1:07 AM To: focus-ids () securityfocus com Subject: 7-ZIP ARJ Archive Processing stack overflow - Is there any role for Network IPS? Hi, Please see this advisory: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2005-3051 This attack can be launched remotely by sending specially crafted data in archived file. Which security solutions are expected to catch these kinds of attacks? It seems that NIPS/NIDS solution typically check for buffer overflow attacks at protocol level, but not at the file/archive level. If so, is it fair to assume that only security solutions running, on the client machine, catch these kjinds of attacks. Any insight is appreciated. Thanks Surya ____________________________________________________________________________________ It's here! Your new message! Get new email alerts with the free Yahoo! Toolbar. http://tools.search.yahoo.com/toolbar/features/mail/ ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------ ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
Current thread:
- 7-ZIP ARJ Archive Processing stack overflow - Is there any role for Network IPS? Surya Batchu (Mar 15)
- Re: 7-ZIP ARJ Archive Processing stack overflow - Is there any role for Network IPS? Michael Scheidell (Mar 15)
- Re: 7-ZIP ARJ Archive Processing stack overflow - Is there any role for Network IPS? Michael Scheidell (Mar 15)
- RE: 7-ZIP ARJ Archive Processing stack overflow - Is there any role for Network IPS? Oleg Kolesnikov x 133 (Mar 15)
- <Possible follow-ups>
- Re: 7-ZIP ARJ Archive Processing stack overflow - Is there any role for Network IPS? Surya Batchu (Mar 19)