Snort mailing list archives

Re: [Emerging-Sigs] FP : WEB-CLIENT Microsoft Internet Explorer malformed iframe buffer overflow attempt

From: Joel Esler <jesler () sourcefire com>
Date: Mon, 20 Feb 2012 09:45:20 -0500

Oh, and that being said, this is a vulnerability against IE6 from October of 2004 that had to do with large Iframes.  
If you are not running IE6 or have patched it since 2004, feel free to disable this rule.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

On Feb 20, 2012, at 9:40 AM, Joel Esler wrote:

Discussion of VRT rules belongs on the Snort-sigs list.  Cc'ed here.

J

On Feb 20, 2012, at 9:16 AM, Balasubramaniam Natarajan wrote:

I am hitting on False positive for the rule on visiting Yahoo.

web-client.rules:alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Internet Explorer 
malformed iframe buffer overflow attempt"; flow:to_client,established; file_data; content:"<IFRAME "; nocase; 
pcre:"/<IFRAME\s+[^>]*?src\s*=\s*(\x22|\x27|)[^\x22\x27\s>]{400}/smi"; metadata:policy security-ips drop; 
reference:bugtraq,11515; reference:cve,2004-1050; classtype:attempted-user; sid:15147; rev:7;)


 ID   < Signature >   < Timestamp >   < Source Address >      < Dest. Address >       < Layer 4 Proto > 
     #0-(5-49715)    [cve] [icat] [bugtraq] [snort] WEB-CLIENT Microsoft Internet Explorer malformed iframe buffer 
overflow attempt   2012-02-20 08:47:05    202.43.205.15:80        192.168.56.1:44895      TCP 
     #1-(5-49712)    [cve] [icat] [bugtraq] [snort] WEB-CLIENT Microsoft Internet Explorer malformed iframe buffer 
overflow attempt   2012-02-20 08:46:57    202.43.205.15:80        192.168.56.1:44895      TCP


HTTP/1.1 200 OK
[2 non-ASCII characters]
Date: Mon, 20 Feb 2012 03:17:05 GMT
[2 non-ASCII characters]
Server: YTS/1.19.8

[2 non-ASCII characters]
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
[2 non-ASCII characters]
X-RightMedia-Hostname: raptor0122.rm.sg1

[2 non-ASCII characters]
Set-Cookie: ih="b!!!!'!%LG<!!!!$=L4W2!6W'N!!!!#=L4WL!8*(,!!!!(=L4WC!8Z^O!!!!#=L4W>"; path=/; expires=Wed, 
19-Feb-2014 03:17:05 GMT
[2 non-ASCII characters]

Set-Cookie: vuday1=n#C*yNHRYlrlkFu; path=/; expires=Tue, 21-Feb-2012 00:00:00 GMT
[2 non-ASCII characters]
Set-Cookie: BX=2pd19b17k3emo&b=4&d=i2aiwllpYF7d6BH6.kz_MpCsjVlXT83h9Z7ikDQ-&s=ri&i=b8OZS4VeRPGQ&t=50; path=/; 
expires=Tue, 19-Jan-2038 03:14:07 GMT

[2 non-ASCII characters]
Set-Cookie: liday1=nfg#QNHRYlV!-@g; path=/; expires=Tue, 21-Feb-2012 00:00:00 GMT
[2 non-ASCII characters]
Cache-Control: no-store
[2 non-ASCII characters]

Last-Modified: Mon, 20 Feb 2012 03:17:05 GMT
[2 non-ASCII characters]
Pragma: no-cache
[2 non-ASCII characters]
Content-Type: text/html
[2 non-ASCII characters]

Age: 0
[2 non-ASCII characters]
Transfer-Encoding: chunked
[2 non-ASCII characters]
Connection: keep-alive
[4 non-ASCII characters]
493

[2 non-ASCII characters]
<html><body style="margin-left: 0%; margin-right: 0%; margin-top: 0%; margin-bottom: 0%"><script 
type="text/javascript">if (window.rm_crex_data) {rm_crex_data.push(12037232);}

</script><!-- RMX,yatranua/160x600_flash/160x600 (creativeId 76dab21a1fedf670149b12fc6064dd5e), created at Mon Nov 
21 2011 15:42:54 GMT+0800 (Taipei Standard Time) -->
[2 non-ASCII characters]

<iframe 
src="http://tm.ap.dp.yieldmanager.net/TagMonkey?adId=yatranua&creativeId=76dab21a1fedf670149b12fc6064dd5e&size=160x600&format=code&adx=rm&B=10&S=14981788&Z=160x600&_salt=2331634807&cb=1329707824465924&i=302928&p=1&r=0&u=http://l.yimg.com/d/lib/darla/2-2-5/html/ext-render-secure.html&ycg=m&ypos=SKY&yprop=inmailneo&yrc=in&yyob=1985&cb=1329707825&clickTag0=http%3A%2F%2Fad%2Eyieldmanager%2Ecom%2Fclk%3F3%2CeAGlTctugzAQ%2EJrcADkYiCOrB4NDFAVQSd1Izc0Y8yapXCoavr4mtP2BjlY7j5Vm1xAXGykEKICT5RuPcw%2DvobtFAkIkkAEwxjYCCHpo6xiOfwhI0jbH1B9VJMgDdNwfx0WSklRZeVvMM5o5CMSJ03KJnD51FvXf7afXMf0pORD99wFvKmhPX%2E2%2Ednpu46l1L4zcI3auk2k3xCzs4hfgJvtTG7EdfGNhHTMxXZqqiX8rCXkyjGoY3leQrOxQT2fd6760xK3XJp%2DDOpsVVx3XbJu26Wquhr7TJL8GU8lrLpX5IcWnktZ8%2DAbMQGn2%2C";
 frameborder="0" scrolling="no" width="160" height="600"></iframe></body></html>

[3 non-ASCII characters]
0
[3 non-ASCII characters]
I believe that this is a VRT rule and do let me know if I can discuss about those here, I don't want to break some 
rules of this mailing list.

-- 
Regards,
Balasubramaniam Natarajan
www.etutorshop.com/moodle/

_______________________________________________
Emerging-sigs mailing list
Emerging-sigs () emergingthreats net
http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!

------------------------------------------------------------------------------
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-dev2

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

Re: [Emerging-Sigs] FP : WEB-CLIENT Microsoft Internet Explorer malformed iframe buffer overflow attempt Joel Esler (Feb 20)
- Re: [Emerging-Sigs] FP : WEB-CLIENT Microsoft Internet Explorer malformed iframe buffer overflow attempt Joel Esler (Feb 20)