[Snort-sigs] FP for EXPLOIT Oracle BEA WebLogic overlong JESSIONID buffer overflow attempt sid 15477

Alex Kirk akirk at ...435...
Thu Apr 30 12:23:14 EDT 2009


On Wed, Apr 29, 2009 at 8:23 PM, Russell Fulton <r.fulton at ...575...>wrote:

> relevant match:uricontent:"JSESSIONID"; pcre:"/JESSIONID|3e|[^
> \x20\x26\x0a]{300}/smiU";
>
> I'm confused (so what's new ;)  I can't see how this pattern matched
> this packet.
> The |3e| should not have matched.
>
> Also there is no JSESSIONID in the uri, it is in the cookie.
>
> What am I missing.
>
> Russell
>
>
> DATA
>
> HEAD /cgi-bin/Pwebrecon.cgi?SC=Author&SEQ=20090425175909&PID
> =PXvCgSSxGBoDK2s17HLtjU4HkNOn&SA=Compan..i..a+de+Fomento+Cin
> ematogra..fico+(Colombia) HTTP/1.0..User-Agent: Opera/9.62 (
> Windows NT 5.1; U; en)..Host: voyager.auckland.ac.nz..Accept
> : text/html, application/xml;q=0.9, application/xhtml+xml, i
> mage/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1.
> .Accept-Language: en..Accept-Charset: iso-8859-1, utf-8, utf
> -16, *;q=0.1..Accept-Encoding: deflate, gzip, x-gzip, identi
> ty, *;q=0..Referer: http://voyager.auckland.ac.nz..Cookie: J
> SESSIONID=ba30b14653a05ef72317; CGISESSID=2ebecc78e694677733
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^                               <<<<<<<<
>
>
>
>
> ------------------------------------------------------------------------------
> Register Now & Save for Velocity, the Web Performance & Operations
> Conference from O'Reilly Media. Velocity features a full day of
> expert-led, hands-on workshops and two days of sessions from industry
> leaders in dedicated Performance & Operations tracks. Use code vel09scf
> and Save an extra 15% before 5/3. http://p.sf.net/sfu/velocityconf
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>

That's odd; it might be a bug from some of the new http_inspect features. Do
you have a PCAP you can share to help us test it? Regardless of whether you
do, we'd like to figure out what's going on here and get it fixed, a PCAP
will just speed things.

-- 
Alex Kirk
AEGIS Program Lead
Sourcefire Vulnerability Research Team
+1-410-423-1937
alex.kirk at ...435...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20090430/ecc8c54b/attachment.html>


More information about the Snort-sigs mailing list