RE: File-format based vulns - How do vendors detect them?

["Palmer, Paul (ISSAtlanta)" <PPalmer () iss net>]

I work for ISS.

The means of protection provided by vendors varies greatly for file
format-based attacks. Some vendors simply include patterns for known
file format exploits on the likely ports, the same as they would for
protocol-based attacks they detect. Others can distinguish the file
contents from the protocol contents and will exercise a different set of
patterns against the file contents.

ISS products have a set of file format parsers to complement our
protocol parsers. That is, the products will step through the elements
of the file looking for attempts to exploit vulnerabilities. For
instance, to protect against any attempts to exploit CVE-2004-0200 (a
buffer overflow in JPEG files), the ISS products will parse the file on
the fly identifying and examining each tag to report any that contain a
length that would exploit vulnerable software. Because the product is
organized as a multi-layered collection of protocol and file parsers,
consistent detection and protection occurs regardless of whether the
image was seen in a compressed HTTP download or as a BASE64 encoded
attachment to a MIME encoded e-mail message. The ISS approach does not
have a high false positive rate. The approach also has a very low false
negative rate. It does take more resources to parse the file contents,
but not significantly so.

Even products based on simple pattern matching will typically have a low
false positive rate as they will tend to match on long, but arbitrary,
patterns from known exploits. This approach is also not significantly
more resource intensive than pattern matching on protocols. However, the
false negative rate is very high for this approach.

Paul

-----Original Message-----
From: Joshua Russel [mailto:joshua.russel () gmail com] 
Sent: Wednesday, November 09, 2005 8:34 AM
To: focus-ids () securityfocus com
Subject: File-format based vulns - How do vendors detect them?


Hi,

After the recent announcement of file-format based vulnerabilities in MS
Patch Tuesday, I was wondering how do IPS/IDS vendors claim to protect
against them (most of them like TippingPoint claim to do so). Do they
scan data transfer streams (SMTP, FTP, HTTP etc) for these malicious
files or is it a local check? If they do detect it on the network
doesn't it screw up their device due to high chance of false positives
and high resource consumption.

--Joshua

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708

to learn more.
------------------------------------------------------------------------


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------