[Snort-sigs] False negative in 3087.1 (WEB-IIS w3who.dll buffer overflow attempt)

Brian bmc at ...95...
Mon Jan 24 07:53:10 EST 2005


On Sat, Jan 22, 2005 at 09:25:43PM -0700, nnposter wrote:
>     pcre:"/w3who.dll\x3F[^\r\n]{519}/i"
> 
> and therefore assumes that the string "w3who.dll?" in the URI is not 
> encoded. Use of any valid encoding, such as "w3who%2edll?", will 
> circumvent the rule.

The false negatives are known.  The rule isn't using the URI buffer
since one of the more popular available exploits (metasploit) uses
tabs as a shellcode.  HttpInspect has a bug where it accepts TAB as a
delimiter on IIS servers isn't accepted on systems vulnerable to
w3who.dll.

So, until that bug is fixed in HttpInspect, the rule can't use the URI
buffer to find the buffer overflow.

> Also, the dot in the PCRE should be escaped (although a chance of 
> a false negative seems low).

Yep. 

Brian




More information about the Snort-sigs mailing list