[Snort-sigs] Sourcefire VRT Certified Rules Update

Sourcefire VRT research at ...435...
Tue Jun 13 13:48:17 EDT 2006


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Sourcefire VRT Certified Rules Update

Synopsis:
The Sourcefire VRT has learned of multiple vulnerabilities affecting
Microsoft Internet Explorer, Apple Quicktime, Novell eDirectory, Sophos
Anti-Virus and Symantec Anti-Virus products.

Details:
Microsoft Internet Explorer contains a programming error in the way
that it processes MIME HTML links (mhtml) which are commonly embedded
in HTML email.	The error in processing the links may allow a remote
attacker to overflow a fixed length buffer and execute code of their
choosing on the target system.

Rules to detect attacks against this vulnerability are included in this
rule pack and are identified as sids 6509 and 6510.

Apple Quicktime fails to properly check user supplied data which may
allow a remote attacker to overflow a fixed length buffer and execute
code of their choosing on the target host.

Rules to detect attacks against this vulnerability are included in this
rule pack and are identified as sids 6505 and 6506.

Novell eDirectory Server contains a vulnerability that may allow an
attacker to overflow a fixed length buffer and execute code of their
choosing on an affected server. The vulnerability exists in the
iMonitor NDS server and may be exploited via a specially crafted uri to
the service.

A rule to detect attacks against this vulnerability is included in this
rule pack and is identified as sid 6507.

Sophos Anti-Virus fails to properly process Microsoft CAB files. A
remote attacker may be able to leverage this vulnerability to execute
code of their choosing on the target host or cause a denial of service
(DoS) against the Sophos Anti-Virus process.

A rule to detect attacks against this vulnerability is included in this
rule pack and is identified as sid 6504.

Symantec Anti-Virus Real-Time Scan Service suffers from a programming
error that may allow a remote attacker to execute code of their
choosing on an affected host.

A rule to detect attacks against this vulnerability is included in this
rule pack and is identified as sid 6512.

New rules:
6472 - BACKDOOR bugs runtime detection - file manager client-to-server
(backdoor.rules)
6473 - BACKDOOR bugs runtime detection - file manager server-to-client
(backdoor.rules)
6474 - BACKDOOR w32.loosky.gen at ...110... runtime detection - notification
(backdoor.rules)
6475 - BACKDOOR badrat 1.1 runtime detection - flowbit set
(backdoor.rules)
6476 - BACKDOOR badrat 1.1 runtime detection (backdoor.rules)
6477 - SPYWARE-PUT Hacker-Tool beee runtime detection - smtp
(spyware-put.rules)
6478 - SPYWARE-PUT Trackware searchingall toolbar runtime detection -
send user url request (spyware-put.rules)
6479 - SPYWARE-PUT Snoopware totalvelocity zsearch runtime detection
(spyware-put.rules)
6480 - SPYWARE-PUT Hijacker cws.cameup runtime detection - home page
(spyware-put.rules)
6481 - SPYWARE-PUT Hijacker cws.cameup runtime detection - search
(spyware-put.rules)
6482 - SPYWARE-PUT Hijacker makemesearch toolbar runtime detection -
get info (spyware-put.rules)
6483 - SPYWARE-PUT Hijacker makemesearch toolbar runtime detection -
home page hijacker (spyware-put.rules)
6484 - SPYWARE-PUT Hijacker makemesearch toolbar runtime detection -
search (spyware-put.rules)
6485 - SPYWARE-PUT Adware spyfalcon runtime detection - action report
(spyware-put.rules)
6486 - SPYWARE-PUT Adware spyfalcon runtime detection - notification
(spyware-put.rules)
6487 - SPYWARE-PUT Adware searchnugget toolbar runtime detection -
check updates (spyware-put.rules)
6488 - SPYWARE-PUT Adware searchnugget toolbar runtime detection -
redirect mistyped urls (spyware-put.rules)
6489 - SPYWARE-PUT Hijacker analyze IE runtime detection - default page
hijacker (spyware-put.rules)
6490 - SPYWARE-PUT Dialer yeaknet runtime detection - home page
hijacker (spyware-put.rules)
6491 - SPYWARE-PUT Dialer yeaknet runtime detection - post-installation
(spyware-put.rules)
6492 - SPYWARE-PUT Trickler Backdoor-BAC.gen.e runtime detection -
notification (spyware-put.rules)
6493 - SPYWARE-PUT Trickler Backdoor-BAC.gen.e runtime detection - post
data (spyware-put.rules)
6494 - SPYWARE-PUT Adware yourenhancement runtime detection
(spyware-put.rules)
6495 - SPYWARE-PUT Hijacker troj_spywad.x runtime detection
(spyware-put.rules)
6496 - SPYWARE-PUT Adware adpowerzone runtime detection
(spyware-put.rules)
6497 - BACKDOOR exploiter 1.0 runtime detection (backdoor.rules)
6498 - BACKDOOR exploiter 1.0 runtime detection (backdoor.rules)
6499 - BACKDOOR omerta 1.3 runtime detection (backdoor.rules)
6500 - BACKDOOR omerta 1.3 runtime detection (backdoor.rules)
6501 - BACKDOOR omerta 1.3 runtime detection (backdoor.rules)
6502 - WEB-CLIENT Mozilla GIF single packet heap overflow - ANIMEXTS1.0
(web-client.rules)
6503 - WEB-CLIENT Mozilla GIF multipacket heap overflow - ANIMEXTS1.0
(web-client.rules)
6504 - WEB-CLIENT Sophos Anti-Virus CAB file overflow attempt
(web-client.rules)
6505 - WEB-CLIENT quicktime fpx file SectNumMiniFAT overflow attempt
(web-client.rules)
6506 - WEB-CLIENT quicktime udta atom overflow attempt
(web-client.rules)
6507 - WEB-MISC novell edirectory imonitor overflow attempt
(web-misc.rules)
6508 - EXPLOIT EMC retrospect client crafted packet overflow attempt
(exploit.rules)
6509 - WEB-CLIENT Internet Explorer mhtml uri href buffer overflow
attempt (web-client.rules)
6510 - WEB-CLIENT Internet Explorer mhtml uri shortcut buffer overflow
attempt (web-client.rules)
6511 - WEB-MISC ALT-N WebAdmin user param overflow attempt
(web-misc.rules)
6512 - EXPLOIT symantec antivirus realtime virusscan overflow attempt
(exploit.rules)

Updated rules:
~ 972 - DELETED WEB-IIS %2E-asp access (deleted.rules)
1508 - WEB-CGI alibaba.pl access (web-cgi.rules)
3534 - WEB-CLIENT Mozilla GIF single packet heap overflow - NETSCAPE2.0
(web-client.rules)
3535 - WEB-CLIENT GIF transfer (web-client.rules)
3536 - WEB-CLIENT Mozilla GIF multipacket heap overflow - NETSCAPE2.0
(web-client.rules)
5851 - SPYWARE-PUT Adware warez_p2p runtime detection - .txt .dat and
.lst requests (spyware-put.rules)
6025 - BACKDOOR tequila bandita 1.2 runtime detection - reverse
connection (backdoor.rules)
6317 - BACKDOOR net demon runtime detection - file manager response
(backdoor.rules)
6399 - BACKDOOR rad 1.2.3 runtime detection (backdoor.rules)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (Darwin)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFEjvpgMpm0ve0NhMcRAksLAJsHeqJsBc2VIcOy/mOZn9Xdkre0EACfbI2Z
ad6D20c88yjYdjShpFor8t8=
=upPE
-----END PGP SIGNATURE-----




More information about the Snort-sigs mailing list