[Snort-sigs] Windows Messenger/MSN Messenger

Jaramillo, Paul D [CC] Paul.D.Jaramillo at ...2992...
Wed Feb 9 09:14:14 EST 2005


I've been reviewing the new signatures for the PNG Buffer Overflow
Vulnerbility(MS05-009), I'm not sure that these would even work. From
the testing that I've done today every capture is wrapped in Microsoft's
messaging protocol and generates False Negatives when a PNG image is
displayed or transferred. Any thoughts?

Snort Signatures: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
(msg:"WEB-CLIENT libpng tRNS overflow attempt";
flow:to_client,established; content:"|89|PNG|0D 0A 1A 0A|";
content:"IHDR"; distance:4; within:4; content:"tRNS"; distance:0;
byte_test:4,>,256,-8,relative,big; pcre:"/IHDR(?!.*?PLTE).*?tRNS/s";
reference:cve,2004-0597; reference:bugtraq,10872;
classtype:attempted-admin; sid:2673; rev:2;) 
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE
libpng tRNS overflow attempt"; content:"|89|PNG|0D 0A 1A 0A|";
content:!"PLTE"; content:"tRNS"; byte_test:4,>,256,-8,relative,big;
flow:established,to_client; classtype:attempted-admin;
reference:cve,CAN-2004-0597; sid:2001058; rev:2;) 

Snort Signatures: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
(msg:"libPNG - Remotely exploitable stack-based bufferoverrun in
png_handle_tRNS";
pcre:"/\x89\x50\x4E\x47\x0D\x0A\x1A\x0A([\s\S])\x03/Ri"; content:"tRNS";
byte_jump:4, -8, relative, big; pcre:"/([\s\S])/R";
pcre:"/([a-zA-Z])[A-Z][a-zA-Z]/R";
reference:url,http.www.securiteam.com/unixfocus/5ZP0C0KDPG.html;
classtype:misc-activity; sid:2000000; rev:1;) 
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT
libpng tRNS overflow attempt"; flow:to_client,established;
content:"|89|PNG|0D 0A 1A 0A|"; content:"IHDR"; distance:4; within:4;
content:"tRNS"; distance:0; byte_test:4,>,256,-8,relative,big;
pcre:"/IHDR(?!.*?PLTE).*?tRNS/s"; reference:cve,2004-0597;
reference:bugtraq,10872; classtype:attempted-admin; sid:2673; rev:2;) 
alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"libpng tRNS overflow
attempt"; content:"|89|PNG|0D 0A 1A 0A|"; content:!"PLTE";
content:"tRNS"; byte_test:4,>,256,-8,relative,big;
flow:established,to_client; classtype:attempted-admin;
reference:cve,CAN-2004-0597; sid:1000117; rev:2;) 
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE
libpng tRNS overflow attempt"; content:"|89|PNG|0D 0A 1A 0A|";
content:!"PLTE"; content:"tRNS"; byte_test:4,>,256,-8,relative,big;
flow:established,to_client; classtype:attempted-admin;
reference:cve,CAN-2004-0597; sid:2001058; rev:2;) 

Thx

Paul D. Jaramillo
Security Event Management
Sprint Corporate Security
913-315-8036

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20050209/689730a9/attachment.html>


More information about the Snort-sigs mailing list