Snort mailing list archives
Re: FP 17154
From: Alex Kirk <akirk () sourcefire com>
Date: Thu, 21 Oct 2010 13:57:20 -0400
Am I missing something, or does the string "data" from the PCRE not appear in that packet? If you've got actual PCAPs of this, please send them over. On Wed, Oct 20, 2010 at 10:22 AM, Lay, James <james.lay () wincofoods com>wrote:
Rule hit:
10/19-07:08:44.122456 [**] [1:17154:1] WEB-CLIENT Mozilla Firefox plugin
parameter array dangling pointer exploit attempt - 2 [**] [Classification:
Attempted User Privilege Gain] [Priority: 1] {TCP} 68.142.213.142:80 ->
66.193.105.132:32029
Rule:
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT
Mozilla Firefox plugin parameter array dangling pointer exploit attempt -
2"; flow:to_client,established; content:"<object"; nocase; content:"|27
27|"; within:200; fast_pattern;
pcre:"/\x3Cobject(?![^\x3E]+?src)[^\x3E]+?data\s*\x3D\s*\x27\x27/i";
metadata:service http; reference:bugtraq,41933; reference:cve,2010-2755;
classtype:attempted-user; sid:17154; rev:1;)
Packet cap:
07:08:44.130455 IP 68.142.213.142.80 > 66.193.105.132.32029: Flags [.], ack
1, win 16080, length 1400
0x0000: 4500 05a0 a07f 4000 3a06 d476 448e d58e E.....@.:..vD...
0x0010: 42c1 6984 0050 7d1d fac6 9c86 217d bbd9 B.i..P}.....!}..
0x0020: 5010 3ed0 081a 0000 6f70 7065 643a 307d P.>.....opped:0}
0x0030: 3b59 4148 4f4f 2e6d 6564 6961 706c 6179 ;YAHOO.mediaplay
0x0040: 6572 2e51 5445 6e67 696e 652e 7072 6f74 er.QTEngine.prot
0x0050: 6f74 7970 652e 696e 6974 3d66 756e 6374 otype.init=funct
0x0060: 696f 6e28 297b 7472 790a 7b76 6172 2070 ion(){try.{var.p
0x0070: 6c75 6769 6e49 6e73 7461 6c6c 6564 3d66 luginInstalled=f
0x0080: 616c 7365 3b69 6628 5941 484f 4f2e 6d65 alse;if(YAHOO.me
0x0090: 6469 6170 6c61 7965 722e 5574 696c 2e64 diaplayer.Util.d
0x00a0: 6574 6563 7450 6c75 6769 6e28 2251 7569 etectPlugin("Qui
0x00b0: 636b 5469 6d65 2050 6c75 672d 696e 222c ckTime.Plug-in",
0x00c0: 2251 7569 636b 5469 6d65 2e51 7569 636b "QuickTime.Quick
0x00d0: 5469 6d65 2229 213d 3d6e 756c 6c29 7b70 Time")!==null){p
0x00e0: 6c75 6769 6e49 6e73 7461 6c6c 6564 3d74 luginInstalled=t
0x00f0: 7275 653b 7d69 6628 706c 7567 696e 496e rue;}if(pluginIn
0x0100: 7374 616c 6c65 643d 3d3d 7472 7565 297b stalled===true){
0x0110: 7661 7220 6475 6d6d 7943 6f6e 7461 696e var.dummyContain
0x0120: 6572 3d64 6f63 756d 656e 742e 6372 6561 er=document.crea
0x0130: 7465 456c 656d 656e 7428 2773 7061 6e27 teElement('span'
0x0140: 293b 6475 6d6d 7943 6f6e 7461 696e 6572 );dummyContainer
0x0150: 2e69 643d 2264 756d 6d79 2d71 7465 6e67 .id="dummy-qteng
0x0160: 696e 6522 3b64 6f63 756d 656e 742e 626f ine";document.bo
0x0170: 6479 2e61 7070 656e 6443 6869 6c64 2864 dy.appendChild(d
0x0180: 756d 6d79 436f 6e74 6169 6e65 7229 3b76 ummyContainer);v
0x0190: 6172 2068 746d 6c3d 2222 3b69 6628 5941 ar.html="";if(YA
0x01a0: 484f 4f2e 6d65 6469 6170 6c61 7965 722e HOO.mediaplayer.
0x01b0: 5574 696c 2e42 524f 5753 4552 3d3d 3d22 Util.BROWSER==="
0x01c0: 4d53 4945 2229 7b68 746d 6c2b 3d27 3c6f MSIE"){html+='<o
0x01d0: 626a 6563 7420 6964 3d22 7174 5f65 7665 bject.id="qt_eve
0x01e0: 6e74 5f73 6f75 7263 6522 2063 6c61 7373 nt_source".class
0x01f0: 6964 3d22 636c 7369 643a 4342 3932 3744 id="clsid:CB927D
0x0200: 3132 2d34 4646 372d 3461 3965 2d41 3136 12-4FF7-4a9e-A16
0x0210: 392d 3536 4534 4238 4137 3535 3938 2227 9-56E4B8A75598"'
0x0220: 2b27 2063 6f64 6562 6173 653d 2268 7474 +'.codebase="htt
0x0230: 703a 2f2f 7777 772e 6170 706c 652e 636f p://www.apple.co
0x0240: 6d2f 7174 6163 7469 7665 782f 7174 706c m/qtactivex/qtpl
0x0250: 7567 696e 2e63 6162 2376 6572 7369 6f6e ugin.cab#version
0x0260: 3d37 2c32 2c31 2c30 2220 3e3c 2f6f 626a =7,2,1,0".></obj
0x0270: 6563 743e 272b 273c 6f62 6a65 6374 2063 ect>'+'<object.c
0x0280: 6c61 7373 6964 3d22 636c 7369 643a 3032 lassid="clsid:02
0x0290: 4246 3235 4435 2d38 4331 372d 3442 3233 BF25D5-8C17-4B23
0x02a0: 2d42 4338 302d 4433 3438 3841 4244 4443 -BC80-D3488ABDDC
0x02b0: 3642 2227 2b27 2063 6f64 6562 6173 653d 6B"'+'.codebase=
0x02c0: 2268 7474 703a 2f2f 7777 772e 6170 706c "http://www.appl
0x02d0: 652e 636f 6d2f 7174 6163 7469 7665 782f e.com/qtactivex/
0x02e0: 7174 706c 7567 696e 2e63 6162 2376 6572 qtplugin.cab#ver
0x02f0: 7369 6f6e 3d37 2c32 2c31 2c30 2227 2b27 sion=7,2,1,0"'+'
0x0300: 2077 6964 7468 3d22 3022 2068 6569 6768 .width="0".heigh
0x0310: 743d 2230 2220 7479 7065 3d22 6175 6469 t="0".type="audi
0x0320: 6f2f 7175 6963 6b74 696d 6522 2069 643d o/quicktime".id=
0x0330: 2227 2b74 6869 732e 6964 2b27 2227 2b27 "'+this.id+'"'+'
0x0340: 2063 6f6e 7472 6f6c 6c65 723d 2266 616c .controller="fal
0x0350: 7365 2220 7374 796c 653d 2262 6568 6176 se".style="behav
0x0360: 696f 723a 7572 6c28 2371 745f 6576 656e ior:url(#qt_even
0x0370: 745f 736f 7572 6365 293b 223e 272b 273c t_source);">'+'<
0x0380: 7061 7261 6d20 6e61 6d65 3d22 636f 6e74 param.name="cont
0x0390: 726f 6c6c 6572 2220 7661 6c75 653d 2266 roller".value="f
0x03a0: 616c 7365 222f 3e3c 7061 7261 6d20 6e61 alse"/><param.na
0x03b0: 6d65 3d22 7372 6322 2076 616c 7565 3d22 me="src".value="
0x03c0: 222f 3e3c 7061 7261 6d20 6e61 6d65 3d22 "/><param.name="
0x03d0: 706f 7374 646f 6d65 7665 6e74 7322 2076 postdomevents".v
0x03e0: 616c 7565 3d22 7472 7565 222f 3e27 2b27 alue="true"/>'+'
0x03f0: 3c2f 6f62 6a65 6374 3e27 3b7d 656c 7365 </object>';}else
0x0400: 0a7b 6874 6d6c 2b3d 223c 656d 6265 6420 .{html+="<embed.
0x0410: 7769 6474 683d 2731 7078 2720 6865 6967 width='1px'.heig
0x0420: 6874 3d27 3170 7827 2022 2b22 6964 3d27 ht='1px'."+"id='
0x0430: 222b 7468 6973 2e69 642b 2227 2022 2b22 "+this.id+"'."+"
0x0440: 6e61 6d65 3d27 222b 7468 6973 2e69 642b name='"+this.id+
0x0450: 2227 2022 2b22 7479 7065 3d27 7669 6465 "'."+"type='vide
0x0460: 6f2f 7175 6963 6b74 696d 6527 2022 2b22 o/quicktime'."+"
0x0470: 7372 633d 2727 2022 2b22 706c 7567 696e src=''."+"plugin
0x0480: 7370 6167 653d 2768 7474 703a 2f2f 7777 spage='http://ww
0x0490: 772e 6170 706c 652e 636f 6d2f 7175 6963 w.apple.com/quic
0x04a0: 6b74 696d 652f 646f 776e 6c6f 6164 2f27 ktime/download/'
0x04b0: 2022 2b22 656e 6162 6c65 6a61 7661 7363 ."+"enablejavasc
0x04c0: 7269 7074 3d27 7472 7565 2720 222b 2263 ript='true'."+"c
0x04d0: 6f6e 7472 6f6c 6c65 723d 2766 616c 7365 ontroller='false
0x04e0: 2720 222b 2273 7479 6c65 3d27 706f 7369 '."+"style='posi
0x04f0: 7469 6f6e 3a66 6978 6564 3b20 746f 703a tion:fixed;.top:
0x0500: 303b 2072 6967 6874 3a30 3b27 2022 2b22 0;.right:0;'."+"
0x0510: 6175 746f 706c 6179 3d27 7472 7565 2720 autoplay='true'.
0x0520: 706f 7374 646f 6d65 7665 6e74 733d 2774 postdomevents='t
0x0530: 7275 6527 222b 222f 3e22 3b7d 6475 6d6d rue'"+"/>";}dumm
0x0540: 7943 6f6e 7461 696e 6572 2e69 6e6e 6572 yContainer.inner
0x0550: 4854 4d4c 3d68 746d 6c3b 7468 6973 2e74 HTML=html;this.t
0x0560: 696d 654f 7574 3d77 696e 646f 772e 7365 imeOut=window.se
0x0570: 7454 696d 656f 7574 2827 5941 484f 4f2e tTimeout('YAHOO.
0x0580: 6d65 6469 6170 6c61 7965 722e 436f 6e74 mediaplayer.Cont
0x0590: 726f 6c6c 6572 2e71 7465 6e67 696e 652e roller.qtengine.
James Lay
------------------------------------------------------------------------------
Nokia and AT&T present the 2010 Calling All Innovators-North America
contest
Create new apps & games for the Nokia N8 for consumers in U.S. and Canada
$10 million total in prizes - $4M cash, 500 devices, nearly $6M in
marketing
Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store
http://p.sf.net/sfu/nokia-dev2dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
-- Alex Kirk AEGIS Program Lead Sourcefire Vulnerability Research Team +1-410-423-1937 alex.kirk () sourcefire com
------------------------------------------------------------------------------ Nokia and AT&T present the 2010 Calling All Innovators-North America contest Create new apps & games for the Nokia N8 for consumers in U.S. and Canada $10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store http://p.sf.net/sfu/nokia-dev2dev
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- FP 17154 Lay, James (Oct 20)
- Re: FP 17154 Alex Kirk (Oct 21)