[Snort-sigs] Sourcefire VRT Certified Rules Update

Sourcefire VRT research at ...435...
Wed May 10 14:25:02 EDT 2006


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Sourcefire VRT Certified Rules Update

Synopsis:
The Sourcefire VRT has learned of vulnerabilities affecting hosts using
the Microsoft operating system.


Details:
Microsoft Security Bulletin MS06-18
A vulnerability exists in the implementation of the Microsoft
Distributed Transaction Coordinator (MSDTC) due to a programming error
which may present an attacker with the opportunity to deny service to
legitimate users. MSDTC fails to properly check the length of data
supplied to the service before passing it along to a fixed length
buffer. This vulnerability does not allow an attacker to run code of
their choosing, but it will cause the MSDTC service to stop responding.

CVE-2006-0034
Excess data passed to the opcodes BuildContextW or BuildContext may
cause a heap based overflow to occur and cause the MSDTC service to
stop responding.

Rules to detect attacks against this vulnerability are included in this
rule pack and are identified as sids 6443 through 6466.

CVE-2006-1184
Excess data in the values for uuidstring or guidin passed in a
BuildContextW request may cause the MSDTC service to attempt to access
memory it cannot use.  The MSDTC service will cease responding.

Rules to detect attacks against this vulnerability are included in this
rule pack and are identified as sids 6419 through 6442.



New rules:
6404 - EXPLOIT Veritas NetBackup Volume Manager possible overflow
connection attempt (exploit.rules)
6405 - EXPLOIT Veritas NetBackup Volume Manager overflow attempt
(exploit.rules)
6406 - POLICY Gizmo VOIP client start-up version check (policy.rules)
6407 - POLICY Gizmo register VOIP state (policy.rules)
6408 - POLICY webshots desktop traffic (policy.rules)
6409 - WEB-FRONTPAGE frontpage server extension long host string
overflow attempt (web-frontpage.rules)
6410 - WEB-FRONTPAGE frontpage server extension long host string
overflow attempt (web-frontpage.rules)
6411 - WEB-FRONTPAGE frontpage server extension long host string
overflow attempt (web-frontpage.rules)
6412 - SMTP Windows Address Book attachment detected (smtp.rules)
6413 - SMTP Base64 encoded Windows Address Book attachment detected
(smtp.rules)
6414 - WEB-MISC Novell GroupWise Messenger Accept-Language Header
Buffer Overflow attempt (web-misc.rules)
6415 - NETBIOS DCERPC DIRECT msdtc BuildContextW little endian object
call overflow attempt (netbios.rules)
6416 - NETBIOS DCERPC DIRECT-UDP msdtc BuildContextW object call
overflow attempt (netbios.rules)
6417 - NETBIOS DCERPC DIRECT msdtc BuildContextW object call overflow
attempt (netbios.rules)
6418 - NETBIOS DCERPC DIRECT-UDP msdtc BuildContextW little endian
object call overflow attempt (netbios.rules)
6419 - NETBIOS DCERPC DIRECT v4 msdtc BuildContextW little endian
invalid uuid size attempt (netbios.rules)
6420 - NETBIOS DCERPC DIRECT-UDP v4 msdtc BuildContextW little endian
invalid uuid size attempt (netbios.rules)
6421 - NETBIOS DCERPC DIRECT msdtc BuildContextW little endian invalid
uuid size attempt (netbios.rules)
6422 - NETBIOS DCERPC DIRECT v4 msdtc BuildContextW invalid uuid size
attempt (netbios.rules)
6423 - NETBIOS DCERPC DIRECT-UDP msdtc BuildContextW little endian
invalid uuid size attempt (netbios.rules)
6424 - NETBIOS DCERPC DIRECT-UDP v4 msdtc BuildContextW invalid uuid
size attempt (netbios.rules)
6425 - NETBIOS DCERPC DIRECT-UDP msdtc BuildContextW invalid uuid size
attempt (netbios.rules)
6426 - NETBIOS DCERPC DIRECT msdtc BuildContextW invalid uuid size
attempt (netbios.rules)
6427 - NETBIOS DCERPC DIRECT msdtc BuildContextW little endian object
call invalid uuid size attempt (netbios.rules)
6428 - NETBIOS DCERPC DIRECT-UDP msdtc BuildContextW little endian
object call invalid uuid size attempt (netbios.rules)
6429 - NETBIOS DCERPC DIRECT-UDP msdtc BuildContextW object call
invalid uuid size attempt (netbios.rules)
6430 - NETBIOS DCERPC DIRECT msdtc BuildContextW object call invalid
uuid size attempt (netbios.rules)
6431 - NETBIOS DCERPC DIRECT msdtc BuildContextW invalid second uuid
size attempt (netbios.rules)
6432 - NETBIOS DCERPC DIRECT v4 msdtc BuildContextW invalid second uuid
size attempt (netbios.rules)
6433 - NETBIOS DCERPC DIRECT v4 msdtc BuildContextW little endian
invalid second uuid size attempt (netbios.rules)
6434 - NETBIOS DCERPC DIRECT msdtc BuildContextW little endian invalid
second uuid size attempt (netbios.rules)
6435 - NETBIOS DCERPC DIRECT-UDP msdtc BuildContextW little endian
invalid second uuid size attempt (netbios.rules)
6436 - NETBIOS DCERPC DIRECT-UDP v4 msdtc BuildContextW invalid second
uuid size attempt (netbios.rules)
6437 - NETBIOS DCERPC DIRECT-UDP v4 msdtc BuildContextW little endian
invalid second uuid size attempt (netbios.rules)
6438 - NETBIOS DCERPC DIRECT-UDP msdtc BuildContextW invalid second
uuid size attempt (netbios.rules)
6439 - NETBIOS DCERPC DIRECT msdtc BuildContextW object call invalid
second uuid size attempt (netbios.rules)
6440 - NETBIOS DCERPC DIRECT msdtc BuildContextW little endian object
call invalid second uuid size attempt (netbios.rules)
6441 - NETBIOS DCERPC DIRECT-UDP msdtc BuildContextW little endian
object call invalid second uuid size attempt (netbios.rules)
6442 - NETBIOS DCERPC DIRECT-UDP msdtc BuildContextW object call
invalid second uuid size attempt (netbios.rules)
6443 - NETBIOS DCERPC DIRECT msdtc BuildContextW heap overflow attempt
(netbios.rules)
6444 - NETBIOS DCERPC DIRECT-UDP msdtc BuildContextW little endian heap
overflow attempt (netbios.rules)
6445 - NETBIOS DCERPC DIRECT-UDP v4 msdtc BuildContextW little endian
heap overflow attempt (netbios.rules)
6446 - NETBIOS DCERPC DIRECT v4 msdtc BuildContextW little endian heap
overflow attempt (netbios.rules)
6447 - NETBIOS DCERPC DIRECT v4 msdtc BuildContextW heap overflow
attempt (netbios.rules)
6448 - NETBIOS DCERPC DIRECT msdtc BuildContextW little endian heap
overflow attempt (netbios.rules)
6449 - NETBIOS DCERPC DIRECT-UDP msdtc BuildContextW heap overflow
attempt (netbios.rules)
6450 - NETBIOS DCERPC DIRECT-UDP v4 msdtc BuildContextW heap overflow
attempt (netbios.rules)
6451 - NETBIOS DCERPC DIRECT msdtc BuildContextW object call heap
overflow attempt (netbios.rules)
6452 - NETBIOS DCERPC DIRECT-UDP msdtc BuildContextW little endian
object call heap overflow attempt (netbios.rules)
6453 - NETBIOS DCERPC DIRECT msdtc BuildContextW little endian object
call heap overflow attempt (netbios.rules)
6454 - NETBIOS DCERPC DIRECT-UDP msdtc BuildContextW object call heap
overflow attempt (netbios.rules)
6455 - NETBIOS DCERPC DIRECT msdtc BuildContext heap overflow attempt
(netbios.rules)
6456 - NETBIOS DCERPC DIRECT v4 msdtc BuildContext heap overflow
attempt (netbios.rules)
6457 - NETBIOS DCERPC DIRECT msdtc BuildContext little endian heap
overflow attempt (netbios.rules)
6458 - NETBIOS DCERPC DIRECT-UDP v4 msdtc BuildContext little endian
heap overflow attempt (netbios.rules)
6459 - NETBIOS DCERPC DIRECT v4 msdtc BuildContext little endian heap
overflow attempt (netbios.rules)
6460 - NETBIOS DCERPC DIRECT-UDP v4 msdtc BuildContext heap overflow
attempt (netbios.rules)
6461 - NETBIOS DCERPC DIRECT-UDP msdtc BuildContext heap overflow
attempt (netbios.rules)
6462 - NETBIOS DCERPC DIRECT-UDP msdtc BuildContext little endian heap
overflow attempt (netbios.rules)
6463 - NETBIOS DCERPC DIRECT msdtc BuildContext object call heap
overflow attempt (netbios.rules)
6464 - NETBIOS DCERPC DIRECT msdtc BuildContext little endian object
call heap overflow attempt (netbios.rules)
6465 - NETBIOS DCERPC DIRECT-UDP msdtc BuildContext object call heap
overflow attempt (netbios.rules)
6466 - NETBIOS DCERPC DIRECT-UDP msdtc BuildContext little endian
object call heap overflow attempt (netbios.rules)

Updated rules:
2278 - WEB-MISC client negative Content-Length attempt (web-misc.rules)
4245 - NETBIOS DCERPC DIRECT-UDP v4 msdtc BuildContextW overflow
attempt (netbios.rules)
4246 - NETBIOS DCERPC DIRECT msdtc BuildContextW little endian overflow
attempt (netbios.rules)
4247 - NETBIOS DCERPC DIRECT v4 msdtc BuildContextW overflow attempt
(netbios.rules)
4248 - NETBIOS DCERPC DIRECT-UDP msdtc BuildContextW overflow attempt
(netbios.rules)
4249 - NETBIOS DCERPC DIRECT v4 msdtc BuildContextW little endian
overflow attempt (netbios.rules)
4250 - NETBIOS DCERPC DIRECT msdtc BuildContextW overflow attempt
(netbios.rules)
4251 - NETBIOS DCERPC DIRECT-UDP msdtc BuildContextW little endian
overflow attempt (netbios.rules)
4252 - NETBIOS DCERPC DIRECT-UDP v4 msdtc BuildContextW little endian
overflow attempt (netbios.rules)
6228 - SPYWARE-PUT Adware exact.bargainbuddy runtime detection -
disclaimer text (spyware-put.rules)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (Darwin)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFEYloYMpm0ve0NhMcRAhg1AJ4w+2vo5Eh5Nh1vfHDcSehwaDmQxACcDq7B
cG0hXMYdnqy5YFs/E4q3cdE=
=EU0C
-----END PGP SIGNATURE-----




More information about the Snort-sigs mailing list