Snort mailing list archives
Re: Sourcefire VRT Certified Snort Rules Update 2010-03-17
From: Seth Art <sethsec () gmail com>
Date: Tue, 23 Mar 2010 20:39:56 +0000
I wanted to test how snort alerts on CVE-2010-0188, the Adobe Reader vulnerability fixed in version 9.3.1 that is purportedly covered by SID 16490. I fired up metasploit, crafted a malicious pdf using (exploit/windows/fileformat/adobe_libtiff), copied it over to my WinXP vm host and double clicked. Box was owned but no sign of SID 16490 triggering. The only sig that did fire was: "SHELLCODE x86 inc ecx NOOP". Certainly good, but a big FP sig. Looks to me that GID:1,SID:16490 (SPECIFIC-THREATS Adobe Reader malformed TIFF remote code execution attempt) relies on "flowbits:isset,http.pdf" which is set by GID:1,SID:15013 (WEB-MISC Adobe Portable Document Format file download attempt). Is that correct? So now I am trying to figure out if there is a problem with the rule, or a problem with my config. Here are some thoughts: 1) sid:15013 will only set the flowbit if I download the PDF from a webserver (alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS). What if the malicious pdf is sent via email -- or another method? 16490 will never even run because the flowbit is not set. Right? 2) From sid:16490, I gather that it will only trigger if the malicious PDF communicates with an external webserver on an HTTP_PORT and the exploit is then sent from that server (alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any -- flow to server). Is that correct? What if the malicious PDF is configured to communicate on a non HTTP_PORT with the malicious webserver. This brings me to a question. What are most of you doing for 443/tcp. Do you include it in your HTTP_PORTS variable or not? By default I believe it is NOT included. Wouldn't this mean that another really easy way to avoid detection of this particular vulnerability being exploited would be to have your malicious pdf connect to port 443 instead of 80 outbound? (In metasploit, setting LPORT to anything aside from 80?) If SID:16490 *should* be detecting an outbound connection on port 80 to a webserver in my external net... maybe I have something else misconfigured ( I certainly do not want to rule that out). Either way, it appears that SID:16490 only detects one potential attack vector of this vulnerability, not all of them. Right? Can we broaden the scope of this sig or add additional sigs to protect against the additional attack vectors. I have a pcap of the successful exploitation described in the above scenario that was done in a vm lab environment so it doesn't need to be sanitized. Let me know if any of you want it. -Seth On Wed, Mar 17, 2010 at 12:25 PM, Research <research () sourcefire com> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Sourcefire VRT Certified Snort Rules Update Synopsis: This release adds and modifies rules in several categories. Details: As a result of ongoing research, the Sourcefire VRT has added multiple rules to the specific-threats and spyware-put rule sets to provide coverage for emerging threats from these technologies. For a complete list of new and modified rules please see: http://www.snort.org/vrt/docs/ruleset_changelogs/changes-2010-03-17.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFLoQJ1QcQOxItLLaMRAtjoAJ9Bkns5WYh0dQxVBzFwJyAHJBoDcgCgqZ/Z grKyKm13kKpDCqe5P+kb3LQ= =wkkY -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- Sourcefire VRT Certified Snort Rules Update 2010-03-17 Research (Mar 17)
- Re: Sourcefire VRT Certified Snort Rules Update 2010-03-17 Mike Cox (Mar 17)
- Re: Sourcefire VRT Certified Snort Rules Update 2010-03-17 Alex Kirk (Mar 17)
- Re: Sourcefire VRT Certified Snort Rules Update 2010-03-17 Seth Art (Mar 23)
- Re: Sourcefire VRT Certified Snort Rules Update 2010-03-17 Will Metcalf (Mar 23)
- Re: Sourcefire VRT Certified Snort Rules Update 2010-03-17 Joel Esler (Mar 23)
- Re: Sourcefire VRT Certified Snort Rules Update 2010-03-17 Will Metcalf (Mar 23)
- Re: Sourcefire VRT Certified Snort Rules Update 2010-03-17 Joel Esler (Mar 23)
- Re: Sourcefire VRT Certified Snort Rules Update 2010-03-17 Mike Cox (Mar 23)
- Re: Sourcefire VRT Certified Snort Rules Update 2010-03-17 Joel Esler (Mar 23)
- Re: Sourcefire VRT Certified Snort RulesUpdate2010-03-17 evilghost () packetmail net (Mar 23)
- Re: Sourcefire VRT Certified Snort RulesUpdate2010-03-17 Sethsec (Mar 23)
- Re: Sourcefire VRT Certified Snort RulesUpdate2010-03-17 L0rd Ch0de1m0rt (Mar 24)
- Re: Sourcefire VRT Certified Snort RulesUpdate2010-03-17 Frank Knobbe (Mar 23)
- Re: Sourcefire VRT Certified Snort Rules Update 2010-03-17 Will Metcalf (Mar 23)
- Re: Sourcefire VRT Certified Snort Rules Update 2010-03-17 Mike Cox (Mar 17)