[Snort-sigs] False positive in 3070.1 (IMAP fetch overflow attempt)

Matthew Watchinski mwatchinski at ...435...
Wed Jan 19 15:49:09 EST 2005


Hum....  0x100 != 100 decimal

asm for buffer creation.
LEA EAX, DWORD PTR SS[EBP-100]

It should be 256 we'll get this updated.

Cheers,
-matt

nnposter at ...592... wrote:

>The current version:
>
>alert tcp $EXTERNAL_NET any -> $HOME_NET 143 
>(msg:"IMAP fetch overflow attempt"; flow:established,to_server; 
>content:"FETCH"; nocase; isdataat: 100,relative; 
>pcre:"/\sFETCH\s[^\n]{100}/smi"; 
>reference:bugtraq,11775; classtype:misc-attack; sid:3070; rev:1;)
>
>
>Could somebody at Sourcefire confirm that the buffer overflow happens as 
>early as 100 bytes? All published PoC for BID 11775 have the NOP sled 
>260 bytes long. Having legitimate FETCH with message specifiers over 100 
>bytes is quite common. 
>
>Cheers,
>nnposter
>
>
>-------------------------------------------------------
>The SF.Net email is sponsored by: Beat the post-holiday blues
>Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
>It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
>_______________________________________________
>Snort-sigs mailing list
>Snort-sigs at lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
>  
>





More information about the Snort-sigs mailing list