[Snort-sigs] The content pattern of Rule SID: 19713 can be improved

Ruowen Wang rwang9 at ...2642...
Mon Jul 29 01:42:37 EDT 2013


Dear All,

I am doing a research to test Snort rules using Metasploit exploit scripts.
I find that the content pattern of the rule sid:19713 might be inaccurate
and can be improved. The rule is:

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX
Mozilla Array.reduceRight integer overflow"; flow:to_client,established;
file_data; content:"a.length=0xffffffff"; nocase;
content:"a.reduceRight|28|callback|2C|0|29|"; distance:0; nocase;
metadata:policy balanced-ips drop, policy security-ips drop, service http;
reference:bugtraq,48372; reference:cve,2011-2371; classtype:attempted-user;
sid:19713; rev:2;)

I find that in its content patterns "a.length..." and "a.reduce...", "a" is
actually a JavaScript var name (more specifically, it is an Array object in
this attack), which can be freely chosen by attacker. In addition, I find
this rule cannot detect the Metasploit attack. The corresponding exploit is
http://dev.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/browser/mozilla_reduceright.rb

If there is anyone who is familiar with this rule, please take a look, and
correct me if I am wrong.

Thank you very much! Have a nice day!


Best Regards!
Ruowen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20130728/37ae4718/attachment.html>


More information about the Snort-sigs mailing list