[Snort-sigs] Sourcefire VRT Certified Rules Update

Sourcefire VRT research at ...435...
Mon Oct 2 15:19:56 EDT 2006


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Sourcefire VRT Certified Rules Update

Synopsis:
The Sourcefire VRT has continued research into vulnerabilities
affecting Microsoft products. This rule pack reflects that effort by
introducing new rules and improving the detection capabilities of
previously released ones.


Details:
Microsoft Security Bulletin MS06-042
Microsoft Internet Explorer is vulnerable to a Denial of Service (DoS)
which may possibly also lead to the execution of code of an attackers
choosing. The error lies in the way that Internet Explorer tries to
instantiate certain COM objects as ActiveX controls.

A rule to detect attacks targeting this vulnerability is included in
this rule pack and is identified as sid 8425.

Microsoft Internet Explorer also suffers from a number of other
vulnerabilities relating to the way it handles ActiveX controls. These
vulnerabilities may also lead to a DoS condition and the possible
execution of code of the attackers choosing.

Rules to detect attacks against these vulnerabilities are included in
this rule pack and are identified as sids 8417 through 8424.


New rules:
8417 <-> Enabled  <-> WEB-CLIENT TriEditDocument.TriEditDocument
ActiveX function call access (web-client.rules)
8418 <-> Enabled  <-> WEB-CLIENT DXImageTransform.Microsoft.RevealTrans
ActiveX function call access (web-client.rules)
8419 <-> Enabled  <-> WEB-CLIENT WebViewFolderIcon.WebViewFolderIcon.1
ActiveX function call access (web-client.rules)
8420 <-> Enabled  <-> WEB-CLIENT DXImageTransform.Microsoft.Gradient
ActiveX function call access (web-client.rules)
8421 <-> Enabled  <-> WEB-CLIENT OWC11.DataSourceControl.11 ActiveX
function call access (web-client.rules)
8422 <-> Enabled  <-> WEB-CLIENT OVCtl.OVCtl.1 ActiveX function call
access (web-client.rules)
8423 <-> Enabled  <-> WEB-CLIENT CEnroll.CEnroll.2 ActiveX function
call access (web-client.rules)
8424 <-> Enabled  <-> WEB-CLIENT Microsoft Forms 2.0 ListBox ActiveX
function call access (web-client.rules)
8425 <-> Enabled  <-> WEB-CLIENT
DXImageTransform.Microsoft.NDFXArtEffects ActiveX function call access
(web-client.rules)

Updated rules:
3143 <-> Enabled  <-> NETBIOS SMB Trans2 FIND_FIRST2 response overflow
attempt (netbios.rules)
3144 <-> Enabled  <-> NETBIOS SMB Trans2 FIND_FIRST2 response andx
overflow attempt (netbios.rules)
3145 <-> Enabled  <-> NETBIOS SMB-DS Trans2 FIND_FIRST2 response
overflow attempt (netbios.rules)
3146 <-> Enabled  <-> NETBIOS SMB-DS Trans2 FIND_FIRST2 response andx
overflow attempt (netbios.rules)
3687 <-> Enabled  <-> TELNET client ENV OPT USERVAR information
disclosure (telnet.rules)
3688 <-> Enabled  <-> TELNET client ENV OPT VAR information disclosure
(telnet.rules)
7922 <-> Enabled  <-> WEB-CLIENT DXImageTransform.Microsoft.RevealTrans
ActiveX CLSID access (web-client.rules)
7923 <-> Enabled  <-> WEB-CLIENT DXImageTransform.Microsoft.RevealTrans
ActiveX CLSID unicode access (web-client.rules)
7940 <-> Enabled  <-> WEB-CLIENT DXImageTransform.Microsoft.Gradient
ActiveX CLSID access (web-client.rules)
7941 <-> Enabled  <-> WEB-CLIENT DXImageTransform.Microsoft.Gradient
ActiveX CLSID unicode access (web-client.rules)
7956 <-> Enabled  <-> WEB-CLIENT Microsoft Forms 2.0 ListBox ActiveX
CLSID access (web-client.rules)
7957 <-> Enabled  <-> WEB-CLIENT Microsoft Forms 2.0 ListBox ActiveX
CLSID unicode access (web-client.rules)
7985 <-> Enabled  <-> WEB-CLIENT WebViewFolderIcon.WebViewFolderIcon.1
ActiveX CLSID access (web-client.rules)
7986 <-> Enabled  <-> WEB-CLIENT WebViewFolderIcon.WebViewFolderIcon.1
ActiveX CLSID unicode access (web-client.rules)
8086 <-> Enabled  <-> WEB-MISC HP Openview NNM cdpView.ovpl port 3443
Unix command execution attempt (web-misc.rules)
8087 <-> Enabled  <-> WEB-MISC HP Openview NNM freeIPaddrs.ovpl port
3443 Unix command execution attempt (web-misc.rules)
8088 <-> Enabled  <-> WEB-MISC HP Openview NNM connectedNodes.ovpl Unix
command execution attempt (web-misc.rules)
8089 <-> Enabled  <-> WEB-MISC HP Openview NNM cdpView.ovpl Unix
command execution attempt (web-misc.rules)
8090 <-> Enabled  <-> WEB-MISC HP Openview NNM freeIPaddrs.ovpl Unix
command execution attempt (web-misc.rules)
8414 <-> Disabled <-> WEB-CLIENT GIF image width descriptor buffer
overflow attempt (web-client.rules)
8416 <-> Enabled  <-> WEB-CLIENT VML fill method overflow attempt
(web-client.rules)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (Darwin)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFFIWZcMpm0ve0NhMcRAt8RAJ0UiK/0zc5Ns36VBy1fWivBSl9PWwCff+q0
uNG3y9B64hOyKJn330sSkLw=
=tT6g
-----END PGP SIGNATURE-----




More information about the Snort-sigs mailing list