[Snort-sigs] New adobe vulnerability

Joseph Gama josephgama at ...144...
Thu Aug 19 13:18:20 EDT 2004


My rule was posted the same day as this posting and it
has no false positives:

alert tcp any any -> any any (msg:"Adobe
Acrobat/Acrobat Reader ActiveX Control Buffer Overflow
Vulnerability";
pcre:"/[\w]+\.pdf%00[\w-_\.!~*'"\(\)]+HTTP\/1\.1/Bi";
reference:url,http.www.securiteam.com/windowsntfocus/5BP0D20DPW.html;
classtype:misc-activity; sid:2000000; rev:1;)

The problem with ".pdf|00|"; nocase; is that the zero
char is a string terminator in C and executables can
cause false positives. Plus my rule looks for the
whole exploit to make sure it's not a false positive.
I did forget the ip/ports and flow but that's easy to
change.

--- Matthew Jonkman <matt at ...2436...> wrote:

> Just put this rule up on the bleedingsnort.com set
> for the new adobe 
> exploit detailed here:
>
http://idefense.com/application/poi/display?id=126&type=vulnerabilities
> 
> The rule:
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
> (msg:"BLEEDING-EDGE 
> Adobe Acrobat Reader Malicious URL Null Byte"; 
>
reference:url,idefense.com/application/poi/display?id=126&type=vulnerabilities;
> 
> uricontent:".pdf%00"; classtype:web-attack;
> sid:2002001; rev:1;)
> 
> I'm posting this because this just seems far too
> simple. I have to be 
> missing something. This look right to everyone?
> 
> Matt
> 
> 
>
-------------------------------------------------------
> SF.Net email is sponsored by Shop4tech.com-Lowest
> price on Blank Media
> 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R
> for only $33
> Save 50% off Retail on Ink & Toner - Free Shipping
> and Free Gift.
>
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
>
https://lists.sourceforge.net/lists/listinfo/snort-sigs
> 



	
		
__________________________________
Do you Yahoo!?
New and Improved Yahoo! Mail - 100MB free storage!
http://promotions.yahoo.com/new_mail 




More information about the Snort-sigs mailing list