[Snort-sigs] Rule 314, named tsig exploit; wrong?

Jesus Couto jesus.couto at ...649...
Thu Jun 27 00:48:02 EDT 2002


Hi.

Doing some test for a demonstration, we used an exploit for the TSIG 
vulnerability, and to our surprise, snort didnt detect it.
Looking at the packets, it seems that there is a mistake in rule 314:

alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"EXPLOIT named tsig 
overflow attempt"; content:"|80 00 07 00 00 00 00 00 01 3F 00 01 
02|/bin/sh"; classtype:attempted-admin; sid:314; rev:5; 
reference:cve,CVE-2001-0010; reference:bugtraq,2302;)

Because the string /bin/sh doesnt go exactly after the hex sequence. The 
correct rule should be:

alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"EXPLOIT named tsig 
overflow attempt"; content:"|80 00 07 00 00 00 00 00 01 3F 00 01 02|"; 
content: "/bin/sh"; classtype:attempted-admin; sid:314; rev:6; 
reference:cve,CVE-2001-0010; reference:bugtraq,2302;)

I'm right? Or I'm missing something?

Thanks in advance and good luck.





More information about the Snort-sigs mailing list