Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Offer a new sig for detecting LibTIFF BadFaxLines tag count possible RCE

From: rmkml <rmkml () ligfy org>
Date: Sun, 30 Oct 2016 23:36:24 +0100 (CET)
Hi,

The http://etplc.org open source project offer a new sig for detecting LibTIFF BadFaxLines tag count possible Remote 
Command Execution:

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT libTIFF big-endian BadFaxLines (0146h) tag count 
possible RCE attempt";
flow:to_client,established; file_data; content:"MM"; within:2; distance:0; content:"|01 46 00 04|"; distance:0; 
byte_test:4,>,65535,0,relative,big;
reference:cve,2016-8331; reference:url,www.talosintelligence.com/reports/TALOS-2016-0190/; classtype:attempted-user; 
sid:1; rev:1;)

Special thanks for Talos / ex VRT.

Don't forget check variables.

Another sig exist with little endian... or using flowbits... or checking RCE too...

Please send any comments.

Regards
@Rmkml

------------------------------------------------------------------------------
The Command Line: Reinvented for Modern Developers
Did the resurgence of CLI tooling catch you by surprise?
Reconnect with the command line and become more productive. 
Learn the new .NET and ASP.NET CLI. Get your free copy!
http://sdm.link/telerik
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: