Snort mailing list archives
Offer a new sig for detecting LibTIFF BadFaxLines tag count possible RCE
From: rmkml <rmkml () ligfy org>
Date: Sun, 30 Oct 2016 23:36:24 +0100 (CET)
Hi, The http://etplc.org open source project offer a new sig for detecting LibTIFF BadFaxLines tag count possible Remote Command Execution: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT libTIFF big-endian BadFaxLines (0146h) tag count possible RCE attempt"; flow:to_client,established; file_data; content:"MM"; within:2; distance:0; content:"|01 46 00 04|"; distance:0; byte_test:4,>,65535,0,relative,big; reference:cve,2016-8331; reference:url,www.talosintelligence.com/reports/TALOS-2016-0190/; classtype:attempted-user; sid:1; rev:1;) Special thanks for Talos / ex VRT. Don't forget check variables. Another sig exist with little endian... or using flowbits... or checking RCE too... Please send any comments. Regards @Rmkml ------------------------------------------------------------------------------ The Command Line: Reinvented for Modern Developers Did the resurgence of CLI tooling catch you by surprise? Reconnect with the command line and become more productive. Learn the new .NET and ASP.NET CLI. Get your free copy! http://sdm.link/telerik _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Offer a new sig for detecting LibTIFF BadFaxLines tag count possible RCE rmkml (Oct 30)