Snort mailing list archives
FP 17154
From: "Lay, James" <james.lay () wincofoods com>
Date: Wed, 20 Oct 2010 08:22:44 -0600
Rule hit:
10/19-07:08:44.122456 [**] [1:17154:1] WEB-CLIENT Mozilla Firefox
plugin parameter array dangling pointer exploit attempt - 2 [**]
[Classification: Attempted User Privilege Gain] [Priority: 1] {TCP}
68.142.213.142:80 -> 66.193.105.132:32029
Rule:
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT
Mozilla Firefox plugin parameter array dangling pointer exploit attempt
- 2"; flow:to_client,established; content:"<object"; nocase;
content:"|27 27|"; within:200; fast_pattern;
pcre:"/\x3Cobject(?![^\x3E]+?src)[^\x3E]+?data\s*\x3D\s*\x27\x27/i";
metadata:service http; reference:bugtraq,41933; reference:cve,2010-2755;
classtype:attempted-user; sid:17154; rev:1;)
Packet cap:
07:08:44.130455 IP 68.142.213.142.80 > 66.193.105.132.32029: Flags [.],
ack 1, win 16080, length 1400
0x0000: 4500 05a0 a07f 4000 3a06 d476 448e d58e
E.....@.:..vD...
0x0010: 42c1 6984 0050 7d1d fac6 9c86 217d bbd9
B.i..P}.....!}..
0x0020: 5010 3ed0 081a 0000 6f70 7065 643a 307d
P.>.....opped:0}
0x0030: 3b59 4148 4f4f 2e6d 6564 6961 706c 6179
;YAHOO.mediaplay
0x0040: 6572 2e51 5445 6e67 696e 652e 7072 6f74
er.QTEngine.prot
0x0050: 6f74 7970 652e 696e 6974 3d66 756e 6374
otype.init=funct
0x0060: 696f 6e28 297b 7472 790a 7b76 6172 2070
ion(){try.{var.p
0x0070: 6c75 6769 6e49 6e73 7461 6c6c 6564 3d66
luginInstalled=f
0x0080: 616c 7365 3b69 6628 5941 484f 4f2e 6d65
alse;if(YAHOO.me
0x0090: 6469 6170 6c61 7965 722e 5574 696c 2e64
diaplayer.Util.d
0x00a0: 6574 6563 7450 6c75 6769 6e28 2251 7569
etectPlugin("Qui
0x00b0: 636b 5469 6d65 2050 6c75 672d 696e 222c
ckTime.Plug-in",
0x00c0: 2251 7569 636b 5469 6d65 2e51 7569 636b
"QuickTime.Quick
0x00d0: 5469 6d65 2229 213d 3d6e 756c 6c29 7b70
Time")!==null){p
0x00e0: 6c75 6769 6e49 6e73 7461 6c6c 6564 3d74
luginInstalled=t
0x00f0: 7275 653b 7d69 6628 706c 7567 696e 496e
rue;}if(pluginIn
0x0100: 7374 616c 6c65 643d 3d3d 7472 7565 297b
stalled===true){
0x0110: 7661 7220 6475 6d6d 7943 6f6e 7461 696e
var.dummyContain
0x0120: 6572 3d64 6f63 756d 656e 742e 6372 6561
er=document.crea
0x0130: 7465 456c 656d 656e 7428 2773 7061 6e27
teElement('span'
0x0140: 293b 6475 6d6d 7943 6f6e 7461 696e 6572
);dummyContainer
0x0150: 2e69 643d 2264 756d 6d79 2d71 7465 6e67
.id="dummy-qteng
0x0160: 696e 6522 3b64 6f63 756d 656e 742e 626f
ine";document.bo
0x0170: 6479 2e61 7070 656e 6443 6869 6c64 2864
dy.appendChild(d
0x0180: 756d 6d79 436f 6e74 6169 6e65 7229 3b76
ummyContainer);v
0x0190: 6172 2068 746d 6c3d 2222 3b69 6628 5941
ar.html="";if(YA
0x01a0: 484f 4f2e 6d65 6469 6170 6c61 7965 722e
HOO.mediaplayer.
0x01b0: 5574 696c 2e42 524f 5753 4552 3d3d 3d22
Util.BROWSER==="
0x01c0: 4d53 4945 2229 7b68 746d 6c2b 3d27 3c6f
MSIE"){html+='<o
0x01d0: 626a 6563 7420 6964 3d22 7174 5f65 7665
bject.id="qt_eve
0x01e0: 6e74 5f73 6f75 7263 6522 2063 6c61 7373
nt_source".class
0x01f0: 6964 3d22 636c 7369 643a 4342 3932 3744
id="clsid:CB927D
0x0200: 3132 2d34 4646 372d 3461 3965 2d41 3136
12-4FF7-4a9e-A16
0x0210: 392d 3536 4534 4238 4137 3535 3938 2227
9-56E4B8A75598"'
0x0220: 2b27 2063 6f64 6562 6173 653d 2268 7474
+'.codebase="htt
0x0230: 703a 2f2f 7777 772e 6170 706c 652e 636f
p://www.apple.co
0x0240: 6d2f 7174 6163 7469 7665 782f 7174 706c
m/qtactivex/qtpl
0x0250: 7567 696e 2e63 6162 2376 6572 7369 6f6e
ugin.cab#version
0x0260: 3d37 2c32 2c31 2c30 2220 3e3c 2f6f 626a
=7,2,1,0".></obj
0x0270: 6563 743e 272b 273c 6f62 6a65 6374 2063
ect>'+'<object.c
0x0280: 6c61 7373 6964 3d22 636c 7369 643a 3032
lassid="clsid:02
0x0290: 4246 3235 4435 2d38 4331 372d 3442 3233
BF25D5-8C17-4B23
0x02a0: 2d42 4338 302d 4433 3438 3841 4244 4443
-BC80-D3488ABDDC
0x02b0: 3642 2227 2b27 2063 6f64 6562 6173 653d
6B"'+'.codebase=
0x02c0: 2268 7474 703a 2f2f 7777 772e 6170 706c
"http://www.appl
0x02d0: 652e 636f 6d2f 7174 6163 7469 7665 782f
e.com/qtactivex/
0x02e0: 7174 706c 7567 696e 2e63 6162 2376 6572
qtplugin.cab#ver
0x02f0: 7369 6f6e 3d37 2c32 2c31 2c30 2227 2b27
sion=7,2,1,0"'+'
0x0300: 2077 6964 7468 3d22 3022 2068 6569 6768
.width="0".heigh
0x0310: 743d 2230 2220 7479 7065 3d22 6175 6469
t="0".type="audi
0x0320: 6f2f 7175 6963 6b74 696d 6522 2069 643d
o/quicktime".id=
0x0330: 2227 2b74 6869 732e 6964 2b27 2227 2b27
"'+this.id+'"'+'
0x0340: 2063 6f6e 7472 6f6c 6c65 723d 2266 616c
.controller="fal
0x0350: 7365 2220 7374 796c 653d 2262 6568 6176
se".style="behav
0x0360: 696f 723a 7572 6c28 2371 745f 6576 656e
ior:url(#qt_even
0x0370: 745f 736f 7572 6365 293b 223e 272b 273c
t_source);">'+'<
0x0380: 7061 7261 6d20 6e61 6d65 3d22 636f 6e74
param.name="cont
0x0390: 726f 6c6c 6572 2220 7661 6c75 653d 2266
roller".value="f
0x03a0: 616c 7365 222f 3e3c 7061 7261 6d20 6e61
alse"/><param.na
0x03b0: 6d65 3d22 7372 6322 2076 616c 7565 3d22
me="src".value="
0x03c0: 222f 3e3c 7061 7261 6d20 6e61 6d65 3d22
"/><param.name="
0x03d0: 706f 7374 646f 6d65 7665 6e74 7322 2076
postdomevents".v
0x03e0: 616c 7565 3d22 7472 7565 222f 3e27 2b27
alue="true"/>'+'
0x03f0: 3c2f 6f62 6a65 6374 3e27 3b7d 656c 7365
</object>';}else
0x0400: 0a7b 6874 6d6c 2b3d 223c 656d 6265 6420
.{html+="<embed.
0x0410: 7769 6474 683d 2731 7078 2720 6865 6967
width='1px'.heig
0x0420: 6874 3d27 3170 7827 2022 2b22 6964 3d27
ht='1px'."+"id='
0x0430: 222b 7468 6973 2e69 642b 2227 2022 2b22
"+this.id+"'."+"
0x0440: 6e61 6d65 3d27 222b 7468 6973 2e69 642b
name='"+this.id+
0x0450: 2227 2022 2b22 7479 7065 3d27 7669 6465
"'."+"type='vide
0x0460: 6f2f 7175 6963 6b74 696d 6527 2022 2b22
o/quicktime'."+"
0x0470: 7372 633d 2727 2022 2b22 706c 7567 696e
src=''."+"plugin
0x0480: 7370 6167 653d 2768 7474 703a 2f2f 7777
spage='http://ww
0x0490: 772e 6170 706c 652e 636f 6d2f 7175 6963
w.apple.com/quic
0x04a0: 6b74 696d 652f 646f 776e 6c6f 6164 2f27
ktime/download/'
0x04b0: 2022 2b22 656e 6162 6c65 6a61 7661 7363
."+"enablejavasc
0x04c0: 7269 7074 3d27 7472 7565 2720 222b 2263
ript='true'."+"c
0x04d0: 6f6e 7472 6f6c 6c65 723d 2766 616c 7365
ontroller='false
0x04e0: 2720 222b 2273 7479 6c65 3d27 706f 7369
'."+"style='posi
0x04f0: 7469 6f6e 3a66 6978 6564 3b20 746f 703a
tion:fixed;.top:
0x0500: 303b 2072 6967 6874 3a30 3b27 2022 2b22
0;.right:0;'."+"
0x0510: 6175 746f 706c 6179 3d27 7472 7565 2720
autoplay='true'.
0x0520: 706f 7374 646f 6d65 7665 6e74 733d 2774
postdomevents='t
0x0530: 7275 6527 222b 222f 3e22 3b7d 6475 6d6d
rue'"+"/>";}dumm
0x0540: 7943 6f6e 7461 696e 6572 2e69 6e6e 6572
yContainer.inner
0x0550: 4854 4d4c 3d68 746d 6c3b 7468 6973 2e74
HTML=html;this.t
0x0560: 696d 654f 7574 3d77 696e 646f 772e 7365
imeOut=window.se
0x0570: 7454 696d 656f 7574 2827 5941 484f 4f2e
tTimeout('YAHOO.
0x0580: 6d65 6469 6170 6c61 7965 722e 436f 6e74
mediaplayer.Cont
0x0590: 726f 6c6c 6572 2e71 7465 6e67 696e 652e
roller.qtengine.
James Lay
------------------------------------------------------------------------------ Nokia and AT&T present the 2010 Calling All Innovators-North America contest Create new apps & games for the Nokia N8 for consumers in U.S. and Canada $10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store http://p.sf.net/sfu/nokia-dev2dev
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- FP 17154 Lay, James (Oct 20)
- Re: FP 17154 Alex Kirk (Oct 21)