[Snort-sigs] Sourcefire VRT Certified Rules Update

Sourcefire VRT research at ...435...
Wed Feb 15 09:43:06 EST 2006

Hash: SHA1

Sourcefire VRT Certified Rules Update

The Sourcefire VRT has learned of multiple vulnerabilities affecting
hosts using the Microsoft operating system. The VRT has also added
rules to detect Skype usage as well as attacks aimed at Qualcomm
Worldmail and other applications.

Microsoft Security Bulletin MS06-005

Microsoft Media Player plugin is subject to a buffer overflow condition
when handling embedded media in web pages. The plugin is used in
Mozilla browsers on hosts using the Microsoft Windows operating system.

A value of more than 2081 bytes in the src tag of an embedded component
handled by Windows media player may present an attacker with the
opportunity to overflow a fixed length buffer and execute code of their
choosing on a vulnerable host.

A rule to detect attacks targeting this vulnerability is included in
this update and is identified as sid 5710.

Microsoft Security Bulletin MS06-006

Windows Media Player suffers from a programming error that may enable
an attacker to run code of their choosing on a vulnerable system. The
error occurs when processing malformed bitmap files with the
application. A bitmap file with length zero is not correctly checked
for actual length, and it may be possible for an attacker to create a
malicious image with size 0 but with actual data in the image that can
be copied into memory for execution.

A rule to detect attacks targeting this vulnerability is included in
this update and is identified as sid 5711.

New rules:
5692 - P2P Skype client successful install (p2p.rules)
5693 - P2P Skype client start up get latest version attempt (p2p.rules)
5694 - P2P Skype client setup get newest version attempt (p2p.rules)
5695 - WEB-IIS web agent redirect overflow attempt (web-iis.rules)
5696 - IMAP delete directory traversal attempt (imap.rules)
5697 - IMAP examine directory traversal attempt (imap.rules)
5698 - IMAP list directory traversal attempt (imap.rules)
5699 - IMAP lsub directory traversal attempt (imap.rules)
5700 - IMAP rename directory traversal attempt (imap.rules)
5701 - IMAP status directory traversal attempt (imap.rules)
5702 - IMAP subscribe directory traversal attempt (imap.rules)
5703 - IMAP unsubscribe directory traversal attempt (imap.rules)
5704 - IMAP SELECT overflow attempt (imap.rules)
5705 - IMAP CAPABILITY overflow attempt (imap.rules)
5706 - POLICY Namazu incoming namazu.cgi access (policy.rules)
5707 - POLICY Namazu outbound namazu.cgi access (policy.rules)
5709 - WEB-PHP file upload directory traversal (web-php.rules)
5710 - WEB-CLIENT Windows Media Player Plugin For Non-IE Browsers
Buffer Overflow (web-client.rules)
5711 - WEB-CLIENT Windows Media Player zero length bitmap heap overflow
attempt (web-client.rules)

Updated rules:
1021 - WEB-IIS ism.dll attempt (web-iis.rules)
1079 - WEB-MISC WebDAV propfind access (web-misc.rules)
1425 - WEB-PHP content-disposition file upload attempt (web-php.rules)
1861 - WEB-MISC Linksys router default username and password login
attempt (web-misc.rules)
2259 - SMTP EXPN overflow attempt (smtp.rules)
2260 - SMTP VRFY overflow attempt (smtp.rules)
2486 - DOS ISAKMP invalid identification payload attempt (dos.rules)
2522 - WEB-MISC SSLv3 invalid Client_Hello attempt (web-misc.rules)
3549 - WEB-CLIENT HTML DOM invalid element creation attempt
3653 - SMTP SAML overflow attempt (smtp.rules)
3654 - SMTP SOML overflow attempt (smtp.rules)
3655 - SMTP SEND overflow attempt (smtp.rules)
3656 - SMTP MAIL overflow attempt (smtp.rules)
3824 - SMTP AUTH user overflow attempt (smtp.rules)
4060 - POLICY RDP attempted Administrator connection request
Version: GnuPG v1.4.2 (Darwin)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org


More information about the Snort-sigs mailing list