[Snort-sigs] WEB-CLIENT IE local resource invocation attempt

nnposter at ...592... nnposter at ...592...
Thu Jun 10 15:30:15 EDT 2004


Rule:  
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any 
(msg:"WEB-CLIENT IE local resource invocation attempt"; 
flow:to_client,established; content:"Location\:"; nocase; 
content:"URL\:"; nocase; distance:0; pcre:"/^Location\:\s*URL\:/smi"; 
reference:url,www.kb.cert.org/vuls/id/713878; classtype:attempted-user;)

--
Sid:
(new submission)

--
Summary:
An internet page from an external webserver contained code to load and run
a local resource.

--
Impact:
Unpatched web browser will allow the attacker can run arbitrary code on
the client system in the security context of the current user.

--
Detailed Information:
More information, including links to other third parties, can be found at
CERT http://www.kb.cert.org/vuls/id/713878

--
Affected Systems:
Internet Explorer

--
Attack Scenarios:
Attacker tricks the user to follow a HTTP link in an e-mail message or on
a web site.

--
Ease of Attack:
Simple. Exploits exist.

--
False Positives:
None known.

--
False Negatives:
None known.

--
Corrective Action:
Apply patch from the vendor, once available.

--
Contributors:
Jelmer (jkuper usplanet.nl)
nnposter

-- 
Additional References:
http://www.kb.cert.org/vuls/id/713878
http://secunia.com/advisories/11793/
http://archives.neohapsis.com/archives/fulldisclosure/2004-06/0104.html
http://62.131.86.111/analysis.htm




More information about the Snort-sigs mailing list