[Snort-sigs] Sig for MS03-051

Frank Knobbe frank at ...1978...
Thu Nov 13 10:52:10 EST 2003


On Thu, 2003-11-13 at 12:24, Adams, Samuel (contractor) wrote:
> I would think you'd want to search for fp30reg.dll since it's
> less common than vti_bin or vti_aut - though I suppose the Transfer encoding
> and chunked content matches will take care of most false positives.

Since I didn't know what else could be overflowed in the vti_aut
section, I thought I leave it at the directory level. Any access in
there with chunked input is probably at risk.

>  You
> might 
> also consider adding depth measures to your content matches to speed them up
> (though if the
> uricontent is checked first - maybe this isn't necessary either). It appears
> that the 
> Transfer-Encoding/chunked content shows up near the beginning of the
> payload. 
> Maybe something like depth: 100 and depth: 120 respectively?
> So the new sig might look like:

Good idea. I used one of the existing Frontpage or IIS to start from.
That didn't include depth, but I think it will aid to prevent FP's.


alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"WEB-FRONTPAGE Chunked Transfer-Encoding Post";
flow:to_server,established; uricontent:"/_vti_bin/_vti_aut/fp30reg.dll";
content:"Transfer-Encoding\:"; depth: 100; nocase; content:"chunked"; depth:
120; nocase;
classtype:web-application-attack;
reference:url.www.microsoft.com/technet/security/bulletin/ms03-051.asp;
rev:1; sid:11111111111;)

I would probably increase the depth a bit to catch long host names in
any Host: field or other stuff. Perhaps 200?

> Do you have any other references for this? I looked around on google briefly
> and
> didn't come up with much. security-assessment.com does not seem to mention
> it on their site either. 

Not yet, but it is pretty new (released yesterday... well, at least the
fix from MS, not the notification to MS ;)

Thoughts on leaving "fp30reg.dll" off?

Frank

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20031113/2a47bc41/attachment.sig>


More information about the Snort-sigs mailing list