[Snort-sigs] new rule for detect SQL Ingres uuid_from_char() overflow

rmkml rmkml at ...324...
Tue Jun 26 18:23:02 EDT 2007


Hi Matt,

> 1. Why 200 if the stack buffer for this is 100 bytes?

well, read ngssoftware advisory: "If uuid_from_char is passed a long string as its argument, a stack...",
if anyone have network traffic on ingres db ?

> 2. Why content:!")"; if an sql statement of this works
> uuid_from_char( 'Ax100' )

I don't known if it is possible on this uuid_from_char()


> Seems like the terminator would be ' and not )

Im search end line {)} (before return because sql), not "'" or '"'


> 3. Why do a dsize, a isdataat and a within that all check essentially the same thing?

yes, but dsize is more fast: check first big sql size, check second content and after isdataat


> 4. Since this function is only suppose to convert text uuid's to byte
> uuids why not just whitelist valid uuid's.  IE the function only takes
> "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXX" and it must be formated like that.

good remark, but pcre is more slow than isdataat, maybe modified rules (v2) :
  alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 21064 (msg:"SQL Ingres uuid_from_char() overflow attempt";
  flow:to_server,established; dsize:>200; content:" uuid_from_char("; nocase;
  pcre:!"/ uuid_from_char\(\s*('|")\d{8}\-\d{4}\-\d{4}\-\d{4}\-\d{12}('|")\s*\)/i";
  reference:cve,2007-3338; reference:bugtraq,24585; classtype:attempted-user; sid:92036; rev:2;)

Best Regards
Rmkml

> Cheers,
> -matt
>
> rmkml wrote:
>> Hi,
>>
>> please check and maybe add this new rule :
>>
>> alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 21064 (msg:"SQL Ingres uuid_from_char() overflow attempt";
  flow:to_server,established; dsize:>200; content:" uuid_from_char("; nocase;
  isdataat:200,relative; content:!")"; within:200;
  reference:cve,2007-3338; classtype:attempted-user; sid:92036; rev:1;)
>>
>> Any suggestions and improvements are welcome,
>>
>> Credits:
>> Crusoe Researches
>> http://www.Crusoe-Researches.com
>> contact at ...3281...
>> => Crusoe Researches have more than 2036 UNIQ 'snort' rules for Commercial Access
>>      (Contact me directly if you are interested)
>>
>> Azwalaro French new nidps open source project
>> http://www.Crusoe-Researches.com/azwalaro/
>> azwalaro at ...3281...
>>
>> Regards
>> Rmkml
>>
>> -------------------------------------------------------------------------
>> This SF.net email is sponsored by DB2 Express
>> Download DB2 Express C - the FREE version of DB2 express and take
>> control of your XML. No limits. Just data. Click to get it now.
>> http://sourceforge.net/powerbar/db2/
>> _______________________________________________
>> Snort-sigs mailing list
>> Snort-sigs at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>
>
>




More information about the Snort-sigs mailing list