[Snort-sigs] The content pattern of Rule SID: 19713 can be improved

Alex McDonnell amcdonnell at ...435...
Mon Jul 29 10:06:41 EDT 2013

Hi Ruowen,

If you search through the ruleset for the CVE 2011-2371 you will find that
there are more rules that cover this vulnerability, on top of 19713 there
is 19714, 24187 and 24188. Each of these rules covers different vectors and
the should cover all public exploits.

Alex McDonnell

On Mon, Jul 29, 2013 at 1:42 AM, Ruowen Wang <rwang9 at ...2642...> wrote:

> Dear All,
> I am doing a research to test Snort rules using Metasploit exploit
> scripts. I find that the content pattern of the rule sid:19713 might be
> inaccurate and can be improved. The rule is:
> Mozilla Array.reduceRight integer overflow"; flow:to_client,established;
> file_data; content:"a.length=0xffffffff"; nocase;
> content:"a.reduceRight|28|callback|2C|0|29|"; distance:0; nocase;
> metadata:policy balanced-ips drop, policy security-ips drop, service http;
> reference:bugtraq,48372; reference:cve,2011-2371; classtype:attempted-user;
> sid:19713; rev:2;)
> I find that in its content patterns "a.length..." and "a.reduce...", "a"
> is actually a JavaScript var name (more specifically, it is an Array object
> in this attack), which can be freely chosen by attacker. In addition, I
> find this rule cannot detect the Metasploit attack. The corresponding
> exploit is
> http://dev.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/browser/mozilla_reduceright.rb
> If there is anyone who is familiar with this rule, please take a look, and
> correct me if I am wrong.
> Thank you very much! Have a nice day!
> Best Regards!
> Ruowen
> ------------------------------------------------------------------------------
> See everything from the browser to the database with AppDynamics
> Get end-to-end visibility with application monitoring from AppDynamics
> Isolate bottlenecks and diagnose root cause in seconds.
> Start your free trial of AppDynamics Pro today!
> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
> Please visit http://blog.snort.org for the latest news about Snort!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20130729/125ba0e0/attachment.html>

More information about the Snort-sigs mailing list