[Snort-sigs] FPs WEB-CLIENT Windows Metafile invalid header size integer overflow,Sig ID,5713

Russell Fulton r.fulton at ...575...
Tue Mar 7 12:28:59 EST 2006


I'm seeing a bunch of these from an internal site as well as a
smattering from other sites including microsoft.com

Russell

META
--------
SID	CID	TimeStamp		Signature
1	3970213	2006-03-07 10:39:24	WEB-CLIENT Windows Metafile invalid header
size integer overflow
Sig ID
5713

Sensor Hostname				Sensor Interface
monitor-itss.insec.auckland.ac.nz	ITSS sector switch

IP
--------
Source Address	Dest Address	Ver	Hdr Len
130.216.191.54	130.216.204.172	4	5
TOS	length	ID	flags	offset	TTL	chksum
0	1331	23115	2	0	126	3046

Resolved Source
gula.lbr.auckland.ac.nz

Resolved Dest
t710-323-23.sfac.auckland.ac.nz

TCP
--------
Source Port	Dest Port	Seq		Ack		
80		1734		3713635408	1326985627
Offset	Reserved	Flags	Window	Checksum	Urgent Ptr
5	0		24	17520	53225		0

Options
--------
None


Flags
--------
RB 1	RB 0	URG	ACK	PSH	RST	SYN	FIN
			X	X				

DATA
--------
485454502F312E312032	HTTP/1.1 2
3030204F4B0D0A536572	00 OK..Ser
7665723A204D6963726F	ver: Micro
736F66742D4949532F35	soft-IIS/5
2E300D0A582D506F7765	.0..X-Powe
7265642D42793A204153	red-By: AS
502E4E45540D0A446174	P.NET..Dat
653A204D6F6E2C203036	e: Mon, 06
204D6172203230303620	 Mar 2006
32313A34313A34352047	21:41:45 G
4D540D0A436F6E74656E	MT..Conten
742D547970653A206170	t-Type: ap
706C69636174696F6E2F	plication/
782D6D736D6574616669	x-msmetafi
6C650D0A416363657074	le..Accept
2D52616E6765733A2062	-Ranges: b
797465730D0A4C617374	ytes..Last
2D4D6F6469666965643A	-Modified:
2053756E2C203135204D	 Sun, 15 M
61722031393938203035	ar 1998 05
3A30313A343220474D54	:01:42 GMT
0D0A455461673A202230	..ETag: "0
37666139373163663466	7fa971cf4f
6264313A31376431220D	bd1:17d1".
0A436F6E74656E742D4C	.Content-L
656E6774683A20313032	ength: 102
360D0A0D0AD7CDC69A00	6.........
00F5FD9AFEA3013602E8	.......6..
03000000000354010009	......T...
000003F6010000060058	.........X
0000000000050000000B	..........
023602F5FD050000000C	.6........
0264FCAE0307000000FC	.d........
02010000000000000004	..........
0000002D010000090000	...-......
00FA0200000000000000	..........
0000002200040000002D	...".....-
0101000400000004010D	..........
0009000000FA02050000	..........
000000FFFFFF00220004	......."..
0000002D010200070000	...-......
00FC0200000000000000	..........
00040000002D01030004	.....-....
00000006010100360000	.......6..
002403190091FFEF00B7	.$........
FF1701FBFFFE00F5FFBB	..........
00A3FF870094FFF4FFA3	..........
FFC6FF88FF93FF8EFF5F	........._
FFC8FF3EFF130056FF2B	...>...V.+
0093FF0D00CDFF2E00EE	..........
FF2E003F00830084008C	...?......
00EC0055005C01E9FF8F	...U.\....
0170FF6E012AFF2B010F	.p.n.*.+..
FFC40012FF87008EFF8E	..........
0091FFEF0007000000FC	..........
020000FFFFFF00000004	..........
0000002D010400040000	...-......
002D010200040000002D	.-.......-
01020007000000FC0200	..........
0000B2FF000000040000	..........
002D0105000400000006	.-........
01010036000000240319	...6...$..
0025FFA60056FFAF0072	.%...V...r
FFA60070FFDF0085FF1F	...p......
01D7FF3701FEFF1C0128	...7.....(
00F2001C00A900CEFF87	..........
00B9FF5400BFFF2000B5	...T... ..
FFD9FF0300D9FF0D000E	..........
0007004B0037006C005B	...K.7.l.[
007E007700CD005E0022	.~.w...^."
010A007701A3FF700151	...w...p.Q
FF3D012DFFFD0025FFA6	.=.-...%..
00040000002D01040004	.....-....
000000F0010500040000	..........
002D010200040000002D	.-.......-
01020007000000FC0200	..........
0000B2FF000000040000	..........
002D0105000400000006	.-........
01010014000000240308	.......$..
00C7FFBAFFA8FFA9FFA0	..........
FF7BFFB8FF5CFFF5FF5C	.{...\...\
FF0D0081FFF8FFAEFFC7	..........
FFBAFF040000002D0104	.......-..
0004000000F001050004	..........
0000002D010200040000	...-......
002D010200040000002D	.-.......-
01030004000000060101	..........
005800000024032A0040	.X...$.*.@
00360285FF3302F7FE05	.6...3....
0265FEA70122FE1F0104	.e..."....
FE9400F5FD080038FEA2	.......8..
FF8AFE1AFF49FFADFE00	.....I....
009AFE8000BFFECF00EC	..........
FE23010BFF420156FF8B	.#...B.V..
01CDFFA3015A008E01FB	.....Z....
0054019B010501D801A4	.T........
0027027100A701EC004D	.'.q.....M
011C0101013901980017	.....9....
01EEFFCF0072FF86004A	.....r...J
FF340023FFB0FF14FF1E	.4.#......
FF32FFABFEB1FF77FE06	.2.....w..
0074FE8B0090FEFB00DB	.t........
FE590105FF95016AFFAE	.Y.....j..
01D6FFD5017100A701A4	.....q....
00270240003602040000	.'. at ...3207...
002D010400040000002D	.-.......-
010200040000002D0102	.......-..
0007000000FC02000000	..........
B2FF000000040000002D	.........-
01050004000000060101	..........
005000000024032600F2	.P...$.&..
FFE7018BFFE701F4FEAB	..........
0196FE430168FEBE004D	...C.h...M
FE51008AFEA8FFD2FE6C	.Q.......l
FF03FF2CFF73FF07FFDD	...,.s....
FFEFFEAA0035FF2301AE	.....5.#..
FF510154005101DF0017	.Q.T.Q....
013D01C600A401F2FFE7	.=........
01E8FF270248001802C9	...'.H....
00F3010B01A601600150	.......`.P
018C01940084010C004B	.........K
0193FFF90029FF4600CB	.....).F..
FEB8FFB0FE1EFFD5FE77	.........w
FE62FF10FE4E0038FEE2	.b...N.8..
0053FE6801BCFEC60131	.S.h.....1
FF0902E8FF2702F2FFE7	.....'....
01040000002D01040004	.....-....
000000F0010500040000	..........
002D0102000300000000	.-........
00	.

DATA
--------
HTTP/1.1 200 OK..Server: Microsoft-IIS/5.0..X-Powered-By: AS
P.NET..Date: Mon, 06 Mar 2006 21:41:45 GMT..Content-Type: ap
plication/x-msmetafile..Accept-Ranges: bytes..Last-Modified:
 Sun, 15 Mar 1998 05:01:42 GMT..ETag: "07fa971cf4fbd1:17d1".
.Content-Length: 1026................6........T............X
...........6.........d.....................-................
...".....-...........................".....-................
.....-...........6...$....................................._
...>...V.+.............?.........U.\.....p.n.*.+............
.......................-.......-.......-....................
.-...........6...$...%...V...r...p.........7.....(..........
...T... ...............K.7.l.[.~.w...^."...w...p.Q.=.-...%..
.....-...............-.......-.....................-........
.......$.............{...\...\.................-............
...-.......-.......-...........X...$.*. at ...3208..."....
.......8.......I...............#...B.V.......Z.....T........
.'.q.....M.....9.........r...J.4.#.......2.....w...t........
.Y.....j.......q.....'. at ...3209...
.........-...........P...$.&...............C.h...M.Q.......l
...,.s.........5.#...Q.T.Q.....=...........'.H...........`.P
.........K.....).F...........w.b...N.8...S.h.....1.....'....
.....-...............-.........




More information about the Snort-sigs mailing list