[Snort-sigs] New adobe vulnerability

nnposter at ...592... nnposter at ...592...
Wed Aug 18 21:34:00 EDT 2004


From: "Matthew Jonkman" <matt at ...2436...>
> Just put this rule up on the bleedingsnort.com set for the new adobe 
> exploit detailed here:
> http://idefense.com/application/poi/display?id=126&type=vulnerabilities
> 
> The rule:
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE 
> Adobe Acrobat Reader Malicious URL Null Byte"; 
> reference:url,idefense.com/application/poi/display?id=126&type=vulnerabilities; 
> uricontent:".pdf%00"; classtype:web-attack; sid:2002001; rev:1;)
> 
> I'm posting this because this just seems far too simple. I have to be 
> missing something. This look right to everyone?
> 
> Matt

You have not considered the impact of http_inspect. Therefore you need 
to look for "real" ASCII zero, not its encoding and do not forget 
to toss in nocase and flow:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Adobe Acrobat Reader Malicious URL Null Byte"; 
flow:to_server,established; uricontent:".pdf|00|"; nocase;
reference:cve,2004-0629; classtype:web-attack; sid:2002001; rev:???;)


Cheers,
nnposter




More information about the Snort-sigs mailing list