[Snort-sigs] content - security bulletin

Jamie Riden jamie.riden at ...2420...
Fri Jun 22 10:31:44 EDT 2007

On 21/06/07, Julio <jferdinand at ...3299...> wrote:

> Hi All,
> My question is based on the latest security bulletin released by Microsoft
> and snort rules
> http://www.microsoft.com/technet/security/Bulletin/MS07-031.mspx
> I am trying to create a rule based on the
> Vulnerability in the Windows Schannel Security Package Could Allow Remote
> Code Execution (935840)
> I have few problems putting together the rules content

Here is a demo of bindiff run against the patch courtesy of Sabre
Security: http://www.sabre-security.com/files/schannel.swf

Presumably you'll need some way - such as the above, or observing such
an attack in the wild - to find out exactly how the bug can be
triggered. "Schannel performs insufficient checks for specially
crafted server-sent digital signatures during the SSL handshake." -
but I don't know in what way these signatures are malformed.

One thing to do is not limit it to port 443, because you could in
theory exploit it over any port (e.g.
http://evil.com:3141/ms07-031-exploit.html )

Jamie Riden, CISSP / jamesr at ...3216... / jamie at ...3294...
UK Honeynet Project: http://www.ukhoneynet.org/

More information about the Snort-sigs mailing list