[Snort-sigs] PNG vulnerabilities and more

Joseph Gama josephgama at ...144...
Thu Aug 19 13:11:03 EDT 2004


Joe,
I can see that you based your rule on the source code
with the else if vulnerability. I based mine on the
code and comments from the exploit which is why you
look for PLTE while I look for the 0x03 because:

* to 0x03, byte 10 of the IHDR data. that signfies
that a PALLETE chunk should
 * be present. but we dont have one, and that is how
the len check is bypassed.

I tested my rule and it detects pngtest_bad.png, plus
I browsed through hundreds of PNG's and got no false
positives. I haven't tested yours, I didn't see it
before.

Which solution is better? I think that it would be ok
to have both because they look for the same thing in
different ways. Let people test them and find out if
there are false posistives.

Peace,

Joseph

--- Joe Stewart <jstewart at ...5...> wrote:

> On Wednesday 18 August 2004 5:03 pm, Joseph Gama
> wrote:
> > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET
> any
> > (msg:"libPNG - Remotely exploitable stack-based
> buffer
> > overrun in png_handle_tRNS";
> >
>
pcre:"/\x89\x50\x4E\x47\x0D\x0A\x1A\x0A([\s\S]){17}\x03/Ri";
> > content:"tRNS"; byte_jump:4, -8, relative, big;
> > pcre:"/([\s\S]){8}/R";
> > pcre:"/([a-zA-Z]){2}[A-Z][a-zA-Z]/R";
> >
>
reference:url,http.www.securiteam.com/unixfocus/5ZP0C0KDPG.html;
> > classtype:misc-activity; sid:2000000; rev:1;)
> 
> Joseph,
> Can you explain why the rule above is preferable to
> the rule I submitted 
> on August 5th for the same vuln:
> 
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
> (msg:"BLEEDING-EDGE 
> libpng tRNS overflow attempt"; content:"|89|PNG|0D
> 0A 1A 0A|"; 
> content:!"PLTE"; content:"tRNS";
> byte_test:4,>,256,-8,relative,big; 
> flow:established,to_client;
> classtype:attempted-admin; 
> reference:cve,CAN-2004-0597; sid:2001058; rev:2;)
> 
> If you've looked at the PNG spec and have found a
> condition where my 
> rule would not fire but the exploit could still
> work, please let me 
> know. Also, since you are not checking for the
> absence of the PLTE 
> header (a necessary condition for the overflow to
> occur), is it 
> possible yours could have false positives?
> 
> -Joe
> 
> -- 
> Joe Stewart, GCIH 
> Senior Security Researcher
> LURHQ http://www.lurhq.com/
> 
> 
>
-------------------------------------------------------
> SF.Net email is sponsored by Shop4tech.com-Lowest
> price on Blank Media
> 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R
> for only $33
> Save 50% off Retail on Ink & Toner - Free Shipping
> and Free Gift.
>
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
>
https://lists.sourceforge.net/lists/listinfo/snort-sigs
> 



		
__________________________________
Do you Yahoo!?
Yahoo! Mail is new and improved - Check it out!
http://promotions.yahoo.com/new_mail




More information about the Snort-sigs mailing list