Re: Alert help, web-client 3ivx MP4 file parsing cmt buffer overflow attempt

[JJ Cummings <cummingsj () gmail com>]

Shawn,

you can ascertain this by asking yourself some simple questions:

1: Is the system that this is alerting affected by this, I.E. is it a system
running the affected version of Microsoft Windows Media Player with the
appropriate codecs?

2: Is the file in question that is causing the alert even an mp4 file?
Since you suspect that it's not, verify this... if it is, see question 1

Answer both of those and You'll find the answer...

1:13318: Stack-based buffer overflow in mplayer2.exe in Microsoft Windows
Media Player (WMP) 6.4, when used with the 3ivx 4.5.1 or 5.0.1 codec, allows
remote attackers to execute arbitrary code via a certain .mp4 file, possibly
a related issue to CVE-2007-6402.

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT 3ivx
MP4 file parsing cmt buffer overflow attempt"; flow:to_client, established;
content:"|A9|cmt"; byte_test:4, >, 512, 0, relative; metadata:policy
balanced-ips drop, policy security-ips drop, service http;
reference:bugtraq,26773; reference:cve,2007-6401; classtype:attempted-user;
sid:13318; rev:2;)

On Wed, Mar 25, 2009 at 4:44 PM, Jefferson, Shawn <
Shawn.Jefferson () bcferries com> wrote:

>  I had an alert triggered today, WEB-CLIENT 3ivx MP4 file parsing cmt
> buffer overflow attempt (1:13318), and I’m thinking this is a false
> positive.  The snort page for the alert doesn’t list any known false
> positives.
>
> Some of the payload info:
>
> HTTP/1.1 200 OK
> Date: Wed, 25 Mar 2009 20:51:54 GMT
> Server: Apache/1.3.41.fb2
> Expires: Mon, 26 Jul 1997 05:00:00 GMT
> Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0,
> pre-check=0
> Pragma: no-cache
> P3P: CP="HONK"
> Set-Cookie: made_write_conn=1238014314; path=/; domain=.facebook.com
> Set-Cookie: cur_max_lag=3; path=/; domain=.facebook.com; httponly
> X-Cnection: close
> Transfer-Encoding: chunked
> Content-Type: application/x-javascript; charset=utf-8
> Content-Encoding: gzip
>
> The reason I think it may be a false positive, is the fact that this
> appears to be a javascript, and is gzipped (??).  I’ve seen other alerts
> triggered by JPEGs, and I’ve always assumed they were false positives, but I
> wanted to run it by all you because I could be missing something!
>
> Also, if this is a false positive, how do I go about helping fill out the
> snort alert DB on the website?
>
> Thanks,
> Shawn
>
>
>
> ------------------------------------------------------------------------------
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users>list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users