[Snort-sigs] [Emerging-Sigs] FP : WEB-CLIENT Microsoft Internet Explorer malformed iframe buffer overflow attempt

Joel Esler jesler at ...435...
Mon Feb 20 09:45:20 EST 2012


Oh, and that being said, this is a vulnerability against IE6 from October of 2004 that had to do with large Iframes.  If you are not running IE6 or have patched it since 2004, feel free to disable this rule.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

On Feb 20, 2012, at 9:40 AM, Joel Esler wrote:

> Discussion of VRT rules belongs on the Snort-sigs list.  Cc'ed here.
> 
> J
> 
> On Feb 20, 2012, at 9:16 AM, Balasubramaniam Natarajan wrote:
> 
>> I am hitting on False positive for the rule on visiting Yahoo.
>> 
>> web-client.rules:alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Internet Explorer malformed iframe buffer overflow attempt"; flow:to_client,established; file_data; content:"<IFRAME "; nocase; pcre:"/<IFRAME\s+[^>]*?src\s*=\s*(\x22|\x27|)[^\x22\x27\s>]{400}/smi"; metadata:policy security-ips drop; reference:bugtraq,11515; reference:cve,2004-1050; classtype:attempted-user; sid:15147; rev:7;)
>> 
>> 
>>  ID	 < Signature > 	 < Timestamp > 	 < Source Address > 	 < Dest. Address > 	 < Layer 4 Proto > 
>> 	#0-(5-49715)	[cve] [icat] [bugtraq] [snort] WEB-CLIENT Microsoft Internet Explorer malformed iframe buffer overflow attempt 	 2012-02-20 08:47:05 	202.43.205.15:80	192.168.56.1:44895 	TCP 
>> 	#1-(5-49712)	[cve] [icat] [bugtraq] [snort] WEB-CLIENT Microsoft Internet Explorer malformed iframe buffer overflow attempt 	 2012-02-20 08:46:57 	202.43.205.15:80	192.168.56.1:44895 	TCP
>> 
>> 
>> HTTP/1.1 200 OK
>> [2 non-ASCII characters]
>> Date: Mon, 20 Feb 2012 03:17:05 GMT
>> [2 non-ASCII characters]
>> Server: YTS/1.19.8
>> 
>> [2 non-ASCII characters]
>> P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
>> [2 non-ASCII characters]
>> X-RightMedia-Hostname: raptor0122.rm.sg1
>> 
>> [2 non-ASCII characters]
>> Set-Cookie: ih="b!!!!'!%LG<!!!!$=L4W2!6W'N!!!!#=L4WL!8*(,!!!!(=L4WC!8Z^O!!!!#=L4W>"; path=/; expires=Wed, 19-Feb-2014 03:17:05 GMT
>> [2 non-ASCII characters]
>> 
>> Set-Cookie: vuday1=n#C*yNHRYlrlkFu; path=/; expires=Tue, 21-Feb-2012 00:00:00 GMT
>> [2 non-ASCII characters]
>> Set-Cookie: BX=2pd19b17k3emo&b=4&d=i2aiwllpYF7d6BH6.kz_MpCsjVlXT83h9Z7ikDQ-&s=ri&i=b8OZS4VeRPGQ&t=50; path=/; expires=Tue, 19-Jan-2038 03:14:07 GMT
>> 
>> [2 non-ASCII characters]
>> Set-Cookie: liday1=nfg#QNHRYlV!- at ...3633...; path=/; expires=Tue, 21-Feb-2012 00:00:00 GMT
>> [2 non-ASCII characters]
>> Cache-Control: no-store
>> [2 non-ASCII characters]
>> 
>> Last-Modified: Mon, 20 Feb 2012 03:17:05 GMT
>> [2 non-ASCII characters]
>> Pragma: no-cache
>> [2 non-ASCII characters]
>> Content-Type: text/html
>> [2 non-ASCII characters]
>> 
>> Age: 0
>> [2 non-ASCII characters]
>> Transfer-Encoding: chunked
>> [2 non-ASCII characters]
>> Connection: keep-alive
>> [4 non-ASCII characters]
>> 493
>> 
>> [2 non-ASCII characters]
>> <html><body style="margin-left: 0%; margin-right: 0%; margin-top: 0%; margin-bottom: 0%"><script type="text/javascript">if (window.rm_crex_data) {rm_crex_data.push(12037232);}
>> 
>> </script><!-- RMX,yatranua/160x600_flash/160x600 (creativeId 76dab21a1fedf670149b12fc6064dd5e), created at Mon Nov 21 2011 15:42:54 GMT+0800 (Taipei Standard Time) -->
>> [2 non-ASCII characters]
>> 
>> <iframe src="http://tm.ap.dp.yieldmanager.net/TagMonkey?adId=yatranua&creativeId=76dab21a1fedf670149b12fc6064dd5e&size=160x600&format=code&adx=rm&B=10&S=14981788&Z=160x600&_salt=2331634807&cb=1329707824465924&i=302928&p=1&r=0&u=http://l.yimg.com/d/lib/darla/2-2-5/html/ext-render-secure.html&ycg=m&ypos=SKY&yprop=inmailneo&yrc=in&yyob=1985&cb=1329707825&clickTag0=http%3A%2F%2Fad%2Eyieldmanager%2Ecom%2Fclk%3F3%2CeAGlTctugzAQ%2EJrcADkYiCOrB4NDFAVQSd1Izc0Y8yapXCoavr4mtP2BjlY7j5Vm1xAXGykEKICT5RuPcw%2DvobtFAkIkkAEwxjYCCHpo6xiOfwhI0jbH1B9VJMgDdNwfx0WSklRZeVvMM5o5CMSJ03KJnD51FvXf7afXMf0pORD99wFvKmhPX%2E2%2Ednpu46l1L4zcI3auk2k3xCzs4hfgJvtTG7EdfGNhHTMxXZqqiX8rCXkyjGoY3leQrOxQT2fd6760xK3XJp%2DDOpsVVx3XbJu26Wquhr7TJL8GU8lrLpX5IcWnktZ8%2DAbMQGn2%2C" frameborder="0" scrolling="no" width="160" height="600"></iframe></body></html>
>> 
>> [3 non-ASCII characters]
>> 0
>> [3 non-ASCII characters]
>> I believe that this is a VRT rule and do let me know if I can discuss about those here, I don't want to break some rules of this mailing list.
>> 
>> -- 
>> Regards,
>> Balasubramaniam Natarajan
>> www.etutorshop.com/moodle/
>> 
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at ...3335...
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>> 
>> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
>> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20120220/77025e24/attachment.html>


More information about the Snort-sigs mailing list