Re: possible fp on 17297

[matan monitz <mmonitz () gmail com>]

hello rmkml
i have read those references before and i have a basic understanding of the
vulnerability, however this does not explain the second content string in
the signature.
filtering based on ports is not relevent since this sig is meant to look at
files being transferd at any protocol.

i can't figure out what you mean by "light"...

attached is the payload from the alerts
you can also strip the http headers with some hex-editor and get the
beginning of valid rar files
weird, they all seem like valid symantec endpoint protection updates...

anyone from VRT care to enlighten us?

On Tue, Nov 16, 2010 at 11:44 PM, rmkml <rmkml () yahoo fr> wrote:

> Hi Matan,
> added more references:
>  http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=515
>  http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-2152
>  http://www.kb.cert.org/vuls/id/324929
>  http://www.securityfocus.com/bid/23543
>  http://xforce.iss.net/xforce/xfdb/33732
> -Maybe check if any ports is good for you or maybe add exception port?
> -Maybe add "light" within:200; for checking unicode multibyte,
> -and maybe add "light" searching long null byte (separator) ending filename
> like: isdataat:64,relative; content:!"|00|"; within:64;
>
> but the best is how length multibyte unicode vulnerability?
>
> do you have a FP example please?
> Regards
> Rmkml
>
>
>
> On Tue, 16 Nov 2010, matan monitz wrote:
>
>  hello
> > i have been trying to investigate a possible fp for 17297 but i can't
> > really figure out what the sig is looking for
> > alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SPECIFIC-THREATS McAfee
> > VirusScan on-access scanner long unicode filename handling buffer overflow
> > attempt"; flow:to_client,established; content:"|52 61 72 21 1A 07 00 CF 90
> > 73 00
> > 00 0D|"; content:"|E2 CA D4 B2 E2 CA D4 B2|"; distance:0; sid:17297;
> > rev:3;)
> > i get the first part ("|52 61 72 21 1A 07 00 CF 90 73 00 00 0D|"; ) thats
> > a rar file header but what is: content:"|E2 CA D4 B2 E2 CA D4 B2|";?  is it
> > suppose to be something in unicode?
> > how sure should i be regarding this signature?

Attachment: payload.txt
Description:

------------------------------------------------------------------------------
Beautiful is writing same markup. Internet Explorer 9 supports
standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
Spend less time writing and  rewriting code and more time creating great
experiences on the web. Be a part of the beta today
http://p.sf.net/sfu/msIE9-sfdev2dev

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs