[Snort-sigs] bleedingsnort PNG rule 2001203 FP?

Federico Petronio petrus at ...2312...
Tue Aug 24 08:17:02 EDT 2004


I found that, if I surf in MySQL site:

http://66.35.250.190/

the rule 2001203 generate alerts (5 for each full refresh). After 
looking the source, I found only 3 pngs in the page, and none of those 
triggers the rule by itself, but the all page does. I really don't 
understand why this happens. Anyone could explains this?

One of the generated alert is as follows:

"BLEEDING-EDGE libPNG - Remotely exploitable stack-based buffer overrun 
in png_handle_tRNS"    	    2004-08-24 12:06:12    	    66.35.250.190:80 
     	    10.1.0.44:2312     	    TCP

and the payload (length = 432):

000 : 48 54 54 50 2F 31 2E 31 20 32 30 30 20 4F 4B 0D   HTTP/1.1 200 OK.
010 : 0A 44 61 74 65 3A 20 54 75 65 2C 20 32 34 20 41   .Date: Tue, 24 A
020 : 75 67 20 32 30 30 34 20 31 35 3A 30 35 3A 35 39   ug 2004 15:05:59
030 : 20 47 4D 54 0D 0A 53 65 72 76 65 72 3A 20 41 70    GMT..Server: Ap
040 : 61 63 68 65 2F 31 2E 33 2E 32 36 20 28 55 6E 69   ache/1.3.26 (Uni
050 : 78 29 20 44 65 62 69 61 6E 20 47 4E 55 2F 4C 69   x) Debian GNU/Li
060 : 6E 75 78 20 50 48 50 2F 34 2E 33 2E 37 0D 0A 4C   nux PHP/4.3.7..L
070 : 61 73 74 2D 4D 6F 64 69 66 69 65 64 3A 20 46 72   ast-Modified: Fr
080 : 69 2C 20 30 39 20 41 70 72 20 32 30 30 34 20 30   i, 09 Apr 2004 0
090 : 33 3A 33 36 3A 34 39 20 47 4D 54 0D 0A 45 54 61   3:36:49 GMT..ETa
0a0 : 67 3A 20 22 33 63 38 31 31 34 2D 39 65 2D 34 30   g: "3c8114-9e-40
0b0 : 37 36 31 61 35 31 22 0D 0A 41 63 63 65 70 74 2D   761a51"..Accept-
0c0 : 52 61 6E 67 65 73 3A 20 62 79 74 65 73 0D 0A 43   Ranges: bytes..C
0d0 : 6F 6E 74 65 6E 74 2D 4C 65 6E 67 74 68 3A 20 31   ontent-Length: 1
0e0 : 35 38 0D 0A 43 6F 6E 6E 65 63 74 69 6F 6E 3A 20   58..Connection:
0f0 : 63 6C 6F 73 65 0D 0A 43 6F 6E 74 65 6E 74 2D 54   close..Content-T
100 : 79 70 65 3A 20 69 6D 61 67 65 2F 70 6E 67 0D 0A   ype: image/png..
110 : 0D 0A 89 50 4E 47 0D 0A 1A 0A 00 00 00 0D 49 48   ...PNG........IH
120 : 44 52 00 00 00 02 00 00 00 02 08 03 00 00 00 45   DR.............E
130 : 68 FD 16 00 00 00 04 67 41 4D 41 00 00 AF C8 37   h......gAMA....7
140 : 05 8A E9 00 00 00 19 74 45 58 74 53 6F 66 74 77   .......tEXtSoftw
150 : 61 72 65 00 41 64 6F 62 65 20 49 6D 61 67 65 52   are.Adobe ImageR
160 : 65 61 64 79 71 C9 65 3C 00 00 00 06 50 4C 54 45   eadyq.e<....PLTE
170 : 7F 7F 7F 00 00 00 17 CD C1 0F 00 00 00 02 74 52   ...........tR
180 : 4E 53 FF 00 E5 B7 30 4A 00 00 00 10 49 44 41 54   NS....0J....IDAT
190 : 78 DA 62 60 60 64 60 64 04 08 30 00 00 0D 00 04   x.b``d`d..0.....
1a0 : C6 48 B3 61 00 00 00 00 49 45 4E 44 AE 42 60 82   .H.a....IEND.B`.

The rule I use is "sid: 2001203; rev: 1", and Snort version 2.1.2 (Build 
25)"

Thank you...
-- 
                                         Federico Petronio
                                         petrus at ...2312...




More information about the Snort-sigs mailing list