Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: BAD NEWS: Microsoft Security Bulletin MS03-032

From: "Crist J. Clark" <cristjc () comcast net>
Date: Fri, 12 Sep 2003 13:59:59 -0700
On Tue, Sep 09, 2003 at 01:51:25PM -0700, Drew Copley wrote:

-----Original Message-----
From: Nathan Wallwork [mailto:owen () pungent org] 
Sent: Tuesday, September 09, 2003 1:18 PM

On Mon, 8 Sep 2003, Drew Copley wrote:

The only sure way to detect this, I already wrote about [to 

Bugtraq]. 

That is by setting a firewall rule which blocks the 

dangerous mimetype 

string
[Content-Type: application/hta]. Everything else in the 

exploit can change. 

Just so we are clear, the firewall wouldn't tbe he right 
place to catch 
this because that string could be split by packet 
fragmentation, so you'd 
need to look for it at an application level, after the data stream 
has been reassembled.  


Yes, I mean "IPS rule" - "firewall rule" is a bit inaccurate- just a
traditional term. Any IPS that does not handle fragmentation, though, has
some serious problems. 


s/fragmentation/fragmentation and TCP reassembly/

You'd need both, and they are different things.
-- 
Crist J. Clark                     |     cjclark () alum mit edu
                                   |     cjclark () jhu edu
http://people.freebsd.org/~cjc/    |     cjc () freebsd org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: