[Snort-sigs] Sourcefire VRT Certified Rules Update

Matthew Watchinski mwatchinski at ...435...
Wed Jun 15 17:48:59 EDT 2005


  Sourcefire VRT Certified Rules Update

  Synopsis:
  The Sourcefire Vulnerability Research Team (VRT) has learned of serious
  vulnerabilities affecting various vendor Telnet client software and
  Microsoft Internet Explorer.

  Details:
  A telnet client and server can negotiate various options such as the
  character set to be used in the communication exchange. One particular
  option allows a client or server to send new environment options.
  Certain telnet clients will respond to a telnet server that issues a
  new environment send command for a particular environment variable,
  such as the current user. This information disclosure can be valuable
  to a potential attacker. Although this vulnerability affects multiple
  vendors it is also addressed in the Microsoft advisory MS05-033.

  Rules to detect attacks against this vulnerability are included in this
  rule pack and are identifed as sids 3687 and 3688.

  Internet Explorer has an optional feature known as Content Advisor that
  allows unsuitable content to be blocked. The Content Advisor uses a
  ratings description file to determine what is considered to be
  unsuitable content. The ratings description file contains several
  statements including a name statement. An overly long value supplied to
  a specific name statement can cause a buffer overflow and the
  subsequent execution of arbitrary code.

  A rule to detect attacks against this vulnerbility is included in this
  rule pack and is identified as sid 3686.

  A vulnerability exists in the way Internet Explorer handles the
  transparency chunk of a PNG file, enabling a buffer overflow and the
  subsequent execution of arbitrary code on a vulnerable client. This
  vulnerability is addressed in the Microsoft advisory MS05-025.

  A rule to detect attacks against this vulnerbility is included in this
  rule pack and is identified as sid 3689.
  New rules:
  3680 - P2P AOL Instant Messenger Message Send (p2p.rules)
  3681 - P2P AOL Instant Messenger Message Receive (p2p.rules)
  3682 - SMTP spoofed MIME-Type auto-execution attempt (smtp.rules)
  3683 - WEB-CLIENT spoofed MIME-Type auto-execution attempt (web-client.rules)
  3684 - WEB-CLIENT Bitmap Transfer (web-client.rules)
  3685 - WEB-CLIENT bitmap BitmapOffset multipacket integer overflow attempt 
(web-client.rules)
  3686 - WEB-CLIENT Internet Explorer Content Advisor attempted overflow 
(web-client.rules)
  3687 - TELNET client ENV OPT USERVAR information disclosure (telnet.rules)
  3688 - TELNET client ENV OPT VAR information disclosure (telnet.rules)
  3689 - WEB-CLIENT Internet Explorer tRNS overflow attempt (web-client.rules)





More information about the Snort-sigs mailing list