Snort mailing list archives

Re: Sourcefire VRT Certified Snort Rules for CVE-2013-3906

From: Patrick Mullen <pmullen () sourcefire com>
Date: Fri, 8 Nov 2013 09:36:49 -0500

Jeremy,

The rules that are currently released for CVE-2013-3906 (sids 28464-28471)
cover all known samples that exploit this vulnerability as well as a
yet-unseen version for which STRIPBYTECOUNT is set to one and the
vulnerable value can be checked easily.  When STRIPBYTECOUNT is greater
than one, the values that are needed to be evaluated for the vulnerable
condition are located at a file offset, which requires additional
processing to compute.  Using snort's shared object rule architecture, we
are able to perform these calculations but since shared object rules are
written in C, there are additional reviews that need to be performed before
release.  The current sids were released to provide good coverage for our
customers immediately while the shared object rule went through the review
process to cover the more general case.  The shared object rule has already
gone through the review process and will be released in an upcoming
SEU/SRU/rulepack.


Thanks,

~Patrick


On Thu, Nov 7, 2013 at 10:05 PM, Jeremy Scott
<JeremyScott () solutionary com>wrote:

What's the possibility of false negatives with the rules package for
CVE-2013-3906 (SID 28464-71)? I'm just trying to validate if I'm
understanding the rule logic correctly.

The content is matching the STRIPBYTECOUNT TIFF Tag (01 17 00 04 00 00 00
01). By specifying a value of 1 for the number of strips in the file, it
seems that it will bypass the rule from being triggered if more than 1
strip is used to trigger the vulnerable condition.



*Jeremy Scott*

<http://www.solutionary.com/>

*Senior Research Analyst*

*Security Engineering Research Team (SERT)*

--

Patrick Mullen
Response Research Manager
Sourcefire VRT

------------------------------------------------------------------------------
November Webinars for C, C++, Fortran Developers
Accelerate application performance with scalable programming models. Explore
techniques for threading, error checking, porting, and tuning. Get the most 
from the latest Intel processors and coprocessors. See abstracts and register
http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

Sourcefire VRT Certified Snort Rules for CVE-2013-3906 Jeremy Scott (Nov 07)
- Re: Sourcefire VRT Certified Snort Rules for CVE-2013-3906 Patrick Mullen (Nov 08)