[Snort-sigs] Sourcefire VRT Certified Snort Rules for CVE-2013-3906

Patrick Mullen pmullen at ...435...
Fri Nov 8 09:36:49 EST 2013


Jeremy,

The rules that are currently released for CVE-2013-3906 (sids 28464-28471)
cover all known samples that exploit this vulnerability as well as a
yet-unseen version for which STRIPBYTECOUNT is set to one and the
vulnerable value can be checked easily.  When STRIPBYTECOUNT is greater
than one, the values that are needed to be evaluated for the vulnerable
condition are located at a file offset, which requires additional
processing to compute.  Using snort's shared object rule architecture, we
are able to perform these calculations but since shared object rules are
written in C, there are additional reviews that need to be performed before
release.  The current sids were released to provide good coverage for our
customers immediately while the shared object rule went through the review
process to cover the more general case.  The shared object rule has already
gone through the review process and will be released in an upcoming
SEU/SRU/rulepack.


Thanks,

~Patrick


On Thu, Nov 7, 2013 at 10:05 PM, Jeremy Scott
<JeremyScott at ...3854...>wrote:

> What's the possibility of false negatives with the rules package for
> CVE-2013-3906 (SID 28464-71)? I'm just trying to validate if I'm
> understanding the rule logic correctly.
>
> The content is matching the STRIPBYTECOUNT TIFF Tag (01 17 00 04 00 00 00
> 01). By specifying a value of 1 for the number of strips in the file, it
> seems that it will bypass the rule from being triggered if more than 1
> strip is used to trigger the vulnerable condition.
>
>
>
> *Jeremy Scott*
>
> <http://www.solutionary.com/>
>
> *Senior Research Analyst*
>
> *Security Engineering Research Team (SERT)*
>
> --
Patrick Mullen
Response Research Manager
Sourcefire VRT
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20131108/448f4041/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 129B047A-DC06-4D6F-9657-46CB08FB5608.png
Type: image/png
Size: 6827 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20131108/448f4041/attachment.png>


More information about the Snort-sigs mailing list