[Snort-sigs] False negative in 3087.1 (WEB-IIS w3who.dll buffer overflow attempt)

nnposter nnposter at ...592...
Mon Jan 24 23:26:02 EST 2005

Brian wrote:
> On Sat, Jan 22, 2005 at 09:25:43PM -0700, nnposter wrote:
> >     pcre:"/w3who.dll\x3F[^\r\n]{519}/i"
> > 
> > and therefore assumes that the string "w3who.dll?" in the URI is not 
> > encoded. Use of any valid encoding, such as "w3who%2edll?", will 
> > circumvent the rule.
> The false negatives are known.  The rule isn't using the URI buffer
> since one of the more popular available exploits (metasploit) uses
> tabs as a shellcode.  HttpInspect has a bug where it accepts TAB as a
> delimiter on IIS servers isn't accepted on systems vulnerable to
> w3who.dll.
> So, until that bug is fixed in HttpInspect, the rule can't use the URI
> buffer to find the buffer overflow.

I am not sure that it needs to use the URI buffer to identify a long URI. 
Could it not use uriconent to verify that w3who.dll is present and then
a non-URI PCRE looking for a long HTTP request line (but not necessarily
verifying that it includes w3who.dll)? Something like

    /^\s*[A-Z]+ +[^ \n]{519}/m


More information about the Snort-sigs mailing list