[Snort-sigs] VRT Certified Rules Update

Matthew Watchinski mwatchinski at ...435...
Tue Apr 12 12:01:43 EDT 2005


The Sourcefire Vulnerability Research Team (VRT) has learned of serious 
vulnerabilities affecting Microsoft Internet Explorer and the Microsoft
Windows operating system.

Dynamic HTML extends static HTML pages to allow interactive web pages to
be easily created. A flaw in the Microsoft Internet Explorer DHTML
Engine may allow an attacker to exploit a race condition and possibly
execute code of their choosing on the victim host with the privileges of
the user running Internet Explorer.

Internet Explorer allows various DHTML objects to be used via
Javascript. Poor memory management in the object handling code of
Internet Explorer may allow an attacker to overwrite portions of memory
and execute code of their choosing on a vulnerable host.

Rules to detect attacks against this vulnerability are included in this
rule pack and are identified as sids 3549 and 3553.

A programming error in Microsoft Internet Explorer may allow an attacker
to execute code of their choosing on a vulnerable host. Specifically,
the error lies in the handling of hostnames longer than 256 characters.
When IE tries to process a hostname of this length or longer, the
process may crash or cause the application to become unstable,
presenting the attacker with an opportunity to execute code of their
choosing on an affected system.

A Rule to detect attacks against this vulnerability is included in this
rule pack and is identified as sid 3550.

Microsoft Windows has design errors that may enable an attacker to
execute code of their choosing on a vulnerable system. Specifically, it
is possible to execute code from objects not marked as executable.

Microsoft OLE2 allows objects to be executed by integrating
applications. The Class ID (CLSID) of an object allows objects to be
loaded by multiple applications. This CLSID is embedded in the object
and may be manipulated by an attacker to force an application into
executing code of the attackers choosing.

Specifically, the CLSID can be made to point at the Microsoft HTML
Application Host (MSHTA). MSHTA.EXE will process each line of a file and
execute any script code it finds.

Rules to detect attacks against this vulnerability are included in this
rule pack and are identified as sids 3551 and 3552.

Below is the complete list of rules modified and added in the Sourcefire
VRT Certified Rule Pack.

New rules:
3549 - WEB-CLIENT HTML DOM invalid element creation attempt (web-client.rules)
3550 - WEB-CLIENT HTML http scheme hostname overflow attempt (web-client.rules)
3551 - WEB-CLIENT .hta download attempt (web-client.rules)
3552 - WEB-CLIENT OLE32 MSHTA masquerade attempt (web-client.rules)
3553 - WEB-CLIENT HTML DOM null element insertion attempt (web-client.rules)

Updated rules:
539 - NETBIOS Samba clientaccess (deleted.rules)
893 - WEB-CGI MachineInfo access (deleted.rules)
1042 - WEB-IIS view source via translate header (web-iis.rules)
1186 - WEB-MISC Netscape Enterprise Server directory view (web-misc.rules)
1188 - WEB-MISC Netscape Enterprise Server directory view (web-misc.rules)
1189 - WEB-MISC Netscape Enterprise Server directory view (web-misc.rules)
1190 - WEB-MISC Netscape Enterprise Server directory view (web-misc.rules)
1191 - WEB-MISC Netscape Enterprise Server directory view (web-misc.rules)
1198 - WEB-MISC Netscape Enterprise Server directory view (web-misc.rules)
1826 - WEB-MISC WEB-INF access (web-misc.rules)
1844 - IMAP authenticate overflow attempt (imap.rules)
3070 - IMAP fetch overflow attempt (imap.rules)

Matthew Watchinski
Director, Vulnerability Research
Sourcefire, Inc.





More information about the Snort-sigs mailing list