Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Possible FP 12280?

From: L0rd Ch0de1m0rt <l0rdch0de1m0rt () gmail com>
Date: Fri, 22 Oct 2010 10:24:31 -0500
Woah, that PCRE hurt my head.  First, why the <t> named capture buffer
if you never use it?  Then there is a .*? in there which doesn't make
sense to me.  Somebody tell me I'm not crazy.

This rule looks to be very specific to a PoC exploit and should
probably be retired since it is trivial to bypass.

The PoC on http://www.eeye.com/Resources/Security-Center/Research/Security-Advisories/AD20070814a
is this:

<v:rect>
<v:imagedata src="http://malice/compressed.emz";>
</v:rect>

I'm guessing the <t> named reference was supposed to be used at the
end of the PCRE but got left off or removed in version 2 ... yea, this
rule is totally created for the exploit and totally sux0rz since it
won't even match the above exploit since they forgot to include
characters like colon and forward slash in the [\w\x25\x2D\x2E]
character class.

OUCH!!!

-L0rd C.

On Fri, Oct 22, 2010 at 9:39 AM, Lay, James <james.lay () wincofoods com> wrote:

Rule:

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT VML
source file memory corruption"; flow:to_client,established;
content:"imagedata"; nocase;
pcre:"/<(?P<t>[A-Z]+\x3A)\s*[^>]+>.*<[A-Z]+\x3A\s*imagedata\s+[^>]*src\s*=\s*(?P<q>\x22|\x27|)[\w\x25\x2D\x2E]+(?P=q)[^>]*>.*?<\x2F/smi";
reference:bugtraq,25310; reference:cve,2007-1749;
reference:url,www.microsoft.com/technet/security/Bulletin/MS07-050.mspx;
classtype:attempted-user; sid:12280; rev:2;)




------------------------------------------------------------------------------
Nokia and AT&T present the 2010 Calling All Innovators-North America contest
Create new apps & games for the Nokia N8 for consumers in  U.S. and Canada
$10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing
Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store 
http://p.sf.net/sfu/nokia-dev2dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
Previous By Date Next
Previous By Thread Next

Current thread: