[Snort-sigs] Apache Chunked Encoding Memory Corruption exploit signature

Sean Hittel seanh at ...113...
Thu Jun 20 09:04:04 EDT 2002


Greetings,

The following exploit specific Snort signature has been created for the
Apache Chunked Encoding Memory Corruption exploit, apache-scalp.c, which
is available at http://online.securityfocus.com/bid/5033/exploit/ :

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 \
(msg:"Apache Chunked Encoding Memory Corruption exploit attempt"; \
flags:A+; content:"|C0 50 52 89 E1 50 51 52 50 B8 3B 00 00 00 CD 80|"; \
reference:bugtraq,5033; classtype:web-application-activity; rev:1;)

Although this exploit requires a chunked encoding transfer in order to
function, due to the irregular method of reassembling TCP streams, the
addition of chunked encoding related headers to the above Snort signature
would cause the signature to fail in the event of improperly reassembled
TCP streams. This is due to the length of the exploit and the fact that
the shellcode sequence occurs well before the "chunked encoding" string
within the payload.

The above signature translates to xC0 followed by the following x86
instructions:

0x50                         push    eax
0x52                         push    edx
0x89 0xE1                    mov     ecx, esp
0x50                         push    eax
0x51                         push    ecx
0x52                         push    edx
0x50                         push    eax
0xB8 0x3B 0x00 0x00 0x00     mov     eax, 59 (OpenBSD sys_execve)
0xCD 0x80                    int     80h

Additionally, the chunked encoding signature

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 \
(msg:"Possible Chunked Encoding transfer attempt"; flags:A+; \
content:"Transfer-Encoding|3A|"; nocase; content:"chunked"; nocase; \
reference:bugtraq,4485; classtype:web-application-activity; rev:3;)

which is available in the MS02-18 Snort rules file at:

http://analyzer.securityfocus.com/rules/IISSigs.rules

will catch this exploit; however, it is prone to false positives. Also,
please note that this Chunked Encoding signature will detect attempts at
the Microsoft IIS Chunked Encoding Transfer Heap Overflow Vulnerability
without incurring the false negative condition associated with some other
signatures.

If you have any questions or comments, please direct comments to
analyzer at ...113...

Thanks,
Sean Hittel
DeepSight Threat Analyst
http://aris.securityfocus.com/






More information about the Snort-sigs mailing list