[Snort-sigs] FP on WEB-CLIENT Microsoft Internet Explorer Script Engine Stack Exhaustion Denial of Service attempt

Balasubramaniam Natarajan bala150985 at ...2420...
Thu Mar 1 21:37:57 EST 2012


Hi

I get these alerts triggered when I visit citi bank website.

*Rule*
web-client.rules:alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
(msg:"WEB-CLIENT Microsoft Internet Explorer Script Engine Stack Exhaustion
Denial of Service attempt"; flow:to_client,established; content:"<script";
nocase; content:"javascript"; distance:0; nocase; content:"location=";
distance:0; nocase;
pcre:"/javascript.+function\s+(\w+)\s*\(\w*\)\s*\{.+location=[^}]+\1.+\}/sim";
metadata:policy security-ips drop; reference:bugtraq,16687;
reference:cve,2006-0753; classtype:attempted-dos; sid:17487; rev:4;)

*Tracing the PCRE*
I am trying to trace the PCRE I got upto here
javascript.+function\s+(\w+)\s*\(\w*\)\s*\{.+location=[^}]+\1.+\} Which
matches the line "javascript function login (){var
st='toolbar=0,location=0, javascript function login ()}"  However I cannot
apply that complete scenario in this case as I cannot see the second
Javascript.


 ID   <<http://bodhidarmar/base/base_qry_main.php?caller=&num_result_rows=3&current_view=0&sort_order=sig_a>
 Signature ><http://bodhidarmar/base/base_qry_main.php?caller=&num_result_rows=3&current_view=0&sort_order=sig_d>
   <<http://bodhidarmar/base/base_qry_main.php?caller=&num_result_rows=3&current_view=0&sort_order=time_a>
 Timestamp ><http://bodhidarmar/base/base_qry_main.php?caller=&num_result_rows=3&current_view=0&sort_order=time_d>
   <<http://bodhidarmar/base/base_qry_main.php?caller=&num_result_rows=3&current_view=0&sort_order=sip_a>
 Source Address
><http://bodhidarmar/base/base_qry_main.php?caller=&num_result_rows=3&current_view=0&sort_order=sip_d>
   <<http://bodhidarmar/base/base_qry_main.php?caller=&num_result_rows=3&current_view=0&sort_order=dip_a>
 Dest. Address ><http://bodhidarmar/base/base_qry_main.php?caller=&num_result_rows=3&current_view=0&sort_order=dip_d>
   <<http://bodhidarmar/base/base_qry_main.php?caller=&num_result_rows=3&current_view=0&sort_order=proto_a>
 Layer 4 Proto ><http://bodhidarmar/base/base_qry_main.php?caller=&num_result_rows=3&current_view=0&sort_order=proto_d>
    #0-(5-50119)<http://bodhidarmar/base/base_qry_alert.php?submit=%230-%285-50119%29&sort_order=>
[cve <http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-0753>]
[icat<http://icat.nist.gov/icat.cfm?cvename=CAN-2006-0753>
] [bugtraq <http://www.securityfocus.com/bid/16687>]
[snort<http://www.snort.org/search/sid/1-17487>
] WEB-CLIENT Microsoft Internet Explorer Script Engine Stack Exhaustion
Denial of Service attempt  2012-03-02 06:10:17
192.193.97.23<http://bodhidarmar/base/base_stat_ipaddr.php?ip=192.193.97.23&netmask=32>
:80  192.168.56.1<http://bodhidarmar/base/base_stat_ipaddr.php?ip=192.168.56.1&netmask32>
:47028  TCP   #1-(5-50118)<http://bodhidarmar/base/base_qry_alert.php?submit=%231-%285-50118%29&sort_order=>
[cve <http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-0753>]
[icat<http://icat.nist.gov/icat.cfm?cvename=CAN-2006-0753>
] [bugtraq <http://www.securityfocus.com/bid/16687>]
[snort<http://www.snort.org/search/sid/1-17487>
] WEB-CLIENT Microsoft Internet Explorer Script Engine Stack Exhaustion
Denial of Service attempt  2012-03-02 06:10:17
192.193.97.23<http://bodhidarmar/base/base_stat_ipaddr.php?ip=192.193.97.23&netmask=32>
:80  192.168.56.1<http://bodhidarmar/base/base_stat_ipaddr.php?ip=192.168.56.1&netmask32>
:47028  TCP   #2-(5-50117)<http://bodhidarmar/base/base_qry_alert.php?submit=%232-%285-50117%29&sort_order=>
[cve <http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-0753>]
[icat<http://icat.nist.gov/icat.cfm?cvename=CAN-2006-0753>
] [bugtraq <http://www.securityfocus.com/bid/16687>]
[snort<http://www.snort.org/search/sid/1-17487>
] WEB-CLIENT Microsoft Internet Explorer Script Engine Stack Exhaustion
Denial of Service attempt  2012-03-02 06:08:58
192.193.97.23<http://bodhidarmar/base/base_stat_ipaddr.php?ip=192.193.97.23&netmask=32>
:80  192.168.56.1<http://bodhidarmar/base/base_stat_ipaddr.php?ip=192.168.56.1&netmask32>
:47013  TCP

*Payload:
* </td></tr>");

[2 non-ASCII characters]
newWin.document.write("<tr align='right'><td colspan='3'
class='ar1'><a href='javascript:window.close()'>Close this
window</a>     </td></tr>");
[2 non-ASCII characters]
newWin.document.write("<tr><td> </td><td colspan='2'> </td></tr>");
[2 non-ASCII characters]
newWin.document.write("<tr><td> </td><td colspan='2'> </td></tr>");
[2 non-ASCII characters]
newWin.document.write("</table></form></body></html>");
[2 non-ASCII characters]
newWin.document.close();
[2 non-ASCII characters]
if (autoclose) {
[2 non-ASCII characters]
}
}
function openWinUser(wdh, hgt){
[2 non-ASCII characters]
var autoclose = true
[2 non-ASCII characters]
newWin = open("","Test","scrollbar=no,width=350,height=150,left=200,top=200");
[2 non-ASCII characters]
newWin.document.open();
[2 non-ASCII characters]
newWin.document.write("<html><head><title>Citibank Online</title><meta
http-equiv='Content-Type' content='text/html;
charset=iso-8859-1'><link rel='stylesheet'
href=http://www.citibank.co.in/infojsp/includes/copy.css>");
[2 non-ASCII characters]
newWin.document.write("<script language='javascript' >");
[2 non-ASCII characters]
newWin.document.write("function login(){");
[2 non-ASCII characters]
newWin.document.write("var
st='toolbar=0,location=0,directories=0,status=1,menubar=0,scrollbars=1,resizable=0,top=0,left=0,width="+wdh+",height="+hgt+"';");
newWin.document.write("mainwin=window.open('https://www.citibank.co.in/ibank/login/guestlogin.jsp','Citibank',st);");
[2 non-ASCII characters]
newWin.document.write("window.close();");
[2 non-ASCII characters]
newWin.document.write("}");
[2 non-ASCII characters]
newWin.document.write("<\/script>");
[2 non-ASCII characters]
newWin.document.write("<body onBlur='window.focus()' bgcolor='#FFFFFF'
text='#000000' leftmargin='0' topmargin='0'


http://www.snort.org/vrt/docs/ruleset_changelogs/2_8_6_1/changes-2011-11-28.html

-- 
Regards,
Balasubramaniam Natarajan
www.etutorshop.com/moodle/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20120302/8b37c107/attachment.html>


More information about the Snort-sigs mailing list