[Snort-sigs] Sourcefire VRT Certified Rules Update

Matthew Watchinski mwatchinski at ...435...
Fri Jul 22 15:25:49 EDT 2005


Sourcefire VRT Certified Rules Update

Synopsis:
The Sourcefire Vulnerability Research Team (VRT) has learned of serious
vulnerabilities affecting Microsoft Windows, RealPlayer, MailEnable,
the PHP XML-RPC module and FutureSoft TFTP server.


Details:
A programming error in the processing of malformed InfoTech protocol
messages used by Microsoft help, can lead to the exposure of a buffer
overflow condition. An attacker may be able to overflow this buffer and
supply code of their choosing to be executed on the system with the
privileges of the administrative account. In addition, applications may
treat Windows Help as a trusted program and further exploitation and
host firewall bypass may be possible.

Rules to detect attacks against this vulnerability are included in this
rule pack and are identified as sids 3819 through 3821.

The RealPlayer media player uses RealText to support streaming text
documents. A vulnerability exists in the way RealPlayer handles a
malformed request for a .rt file that contains an incorrect RealText
version number. If an overly long .rt filename is requested and an
incorrect RealText version is specified, a buffer allocated to handle
error conditions can be overflowed. This may permit the execution of
arbitrary code

Rules to detect attacks against this vulnerability are included in this
rule pack and are identified as sids 3822 through 3823.

MailEnable is a Windows-based mail server. A vulnerability exists in
the MailEnable SMTP server, possibly allowing a denial of service or
the execution of arbitrary code with system privileges.

A Rule to detect attacks against this vulnerability is included in this
rule pack and is identified as sid 3824.

A vulnerability exists in the PHP XML-RPC module that may allow
unauthorized users to execute arbitrary commands. No user
authentication is required to execute these commands.

A Rule to detect attacks against this vulnerability is included in this
rule pack and is identified as sid 3827.

A vulnerability exists in the FutureSoft TFTP server when processing
overly long read or write requests for either a file name or transfer
mode string. This may cause a buffer overflow and the subsequent
execution of arbitrary commands on a vulnerable server.

Rules to detect attacks against this vulnerability are included in this
rule pack and are identified as sids 3817 through 3818.

New rules:
3815 - SMTP eXchange POP3 mail server overflow attempt (smtp.rules)
3816 - WEB-MISC BadBlue ext.dll buffer overflow attempt (web-misc.rules)
3817 - TFTP GET transfer mode overflow attempt (tftp.rules)
3818 - TFTP PUT transfer mode overflow attempt (tftp.rules)
3819 - WEB-CLIENT multipacket CHM file transfer start (web-client.rules)
3820 - WEB-CLIENT multipacket CHM file transfer attempt (web-client.rules)
3821 - WEB-CLIENT CHM file transfer attempt (web-client.rules)
3822 - WEB-MISC Real Player realtext long URI request (web-misc.rules)
3823 - WEB-MISC Real Player realtext file bad version buffer overflow 
attempt (web-misc.rules)
3824 - SMTP AUTH user overflow attempt (smtp.rules)
3825 - POLICY AOL Instant Messenger Message Send (policy.rules)
3826 - POLICY AOL Instant Messenger Message Receive (policy.rules)
3827 - WEB-PHP xmlrpc.php post attempt (web-php.rules)

Updated rules:
686 - MS-SQL xp_reg* - registry access (sql.rules)
689 - MS-SQL/SMB xp_reg* registry access (sql.rules)
971 - WEB-IIS ISAPI .printer access (web-iis.rules)
1018 - WEB-IIS iisadmpwd attempt (web-iis.rules)
1126 - WEB-MISC AuthChangeUrl access (web-misc.rules)
1447 - MISC MS Terminal server request RDP (misc.rules)
1476 - WEB-CGI sdbsearch.cgi access (web-cgi.rules)
1483 - WEB-CGI ustorekeeper.pl access (web-cgi.rules)
1526 - WEB-MISC basilix sendmail.inc access (web-misc.rules)
1527 - WEB-MISC basilix mysql.class access (web-misc.rules)
1567 - WEB-IIS /exchange/root.asp attempt (web-iis.rules)
1730 - WEB-CGI ustorekeeper.pl directory traversal attempt (web-cgi.rules)
1777 - FTP EXPLOIT STAT * dos attempt (ftp.rules)
1778 - FTP EXPLOIT STAT ? dos attempt (ftp.rules)
1801 - WEB-IIS .asp HTTP header buffer overflow attempt (web-iis.rules)
1802 - WEB-IIS .asa HTTP header buffer overflow attempt (web-iis.rules)
1803 - WEB-IIS .cer HTTP header buffer overflow attempt (web-iis.rules)
1804 - WEB-IIS .cdx HTTP header buffer overflow attempt (web-iis.rules)
1810 - ATTACK-RESPONSES successful gobbles ssh exploit GOBBLE 
(attack-responses.rules)
1970 - WEB-IIS MDAC Content-Type overflow attempt (web-iis.rules)
1986 - CHAT MSN outbound file transfer request (chat.rules)
1988 - CHAT MSN outbound file transfer accept (chat.rules)
1989 - CHAT MSN outbound file transfer rejected (chat.rules)
2054 - WEB-CGI enter_bug.cgi arbitrary command attempt (web-cgi.rules)
2055 - WEB-CGI enter_bug.cgi access (web-cgi.rules)
2126 - MISC Microsoft PPTP Start Control Request buffer overflow attempt 
(misc.rules)
2133 - WEB-IIS MS BizTalk server access (web-iis.rules)
2243 - WEB-MISC ndcgi.exe access (web-misc.rules)
2435 - WEB-CLIENT Microsoft emf metafile access (web-client.rules)
2436 - WEB-CLIENT Microsoft wmf metafile access (web-client.rules)
2670 - WEB-CGI pgpmail.pl access (web-cgi.rules)
3148 - WEB-CLIENT winhelp clsid attempt (web-client.rules)
3149 - WEB-CLIENT object type overflow attempt (web-client.rules)
3150 - WEB-IIS SQLXML content type overflow (web-iis.rules)
3192 - WEB-CLIENT Windows Media Player directory traversal via 
Content-Disposition attempt (web-client.rules)
3199 - EXPLOIT WINS name query overflow attempt TCP (exploit.rules)
3200 - EXPLOIT WINS name query overflow attempt UDP (exploit.rules)
3238 - NETBIOS DCERPC IrotIsRunning attempt (netbios.rules)
3239 - NETBIOS DCERPC IrotIsRunning little endian attempt (netbios.rules)
3256 - NETBIOS SMB IrotIsRunning attempt (netbios.rules)
3257 - NETBIOS SMB IrotIsRunning little endian attempt (netbios.rules)
3258 - NETBIOS SMB IrotIsRunning unicode attempt (netbios.rules)
3259 - NETBIOS SMB IrotIsRunning unicode little endian attempt 
(netbios.rules)
3260 - NETBIOS SMB IrotIsRunning andx attempt (netbios.rules)
3261 - NETBIOS SMB IrotIsRunning little endian andx attempt (netbios.rules)
3262 - NETBIOS SMB IrotIsRunning unicode andx attempt (netbios.rules)
3263 - NETBIOS SMB IrotIsRunning unicode little endian andx attempt 
(netbios.rules)
3264 - NETBIOS SMB-DS IrotIsRunning attempt (netbios.rules)
3265 - NETBIOS SMB-DS IrotIsRunning little endian attempt (netbios.rules)
3266 - NETBIOS SMB-DS IrotIsRunning unicode attempt (netbios.rules)
3267 - NETBIOS SMB-DS IrotIsRunning unicode little endian attempt 
(netbios.rules)
3268 - NETBIOS SMB-DS IrotIsRunning andx attempt (netbios.rules)
3269 - NETBIOS SMB-DS IrotIsRunning little endian andx attempt 
(netbios.rules)
3270 - NETBIOS SMB-DS IrotIsRunning unicode andx attempt (netbios.rules)
3271 - NETBIOS SMB-DS IrotIsRunning unicode little endian andx attempt 
(netbios.rules)
3461 - SMTP Content-Type overflow attempt (smtp.rules)
3462 - SMTP Content-Encoding overflow attempt (smtp.rules)
3466 - WEB-MISC Authorization Basic overflow attempt (web-misc.rules)
3682 - SMTP spoofed MIME-Type auto-execution attempt (smtp.rules)

Matthew Watchinski
Director, Vulnerability Research
Sourcefire, Inc.




More information about the Snort-sigs mailing list