[Snort-sigs] Offer a new sig for detecting LibTIFF BadFaxLines tag count possible RCE

rmkml rmkml at ...4129...
Sun Oct 30 18:36:24 EDT 2016


Hi,

The http://etplc.org open source project offer a new sig for detecting LibTIFF BadFaxLines tag count possible Remote Command Execution:

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT libTIFF big-endian BadFaxLines (0146h) tag count possible RCE attempt";
flow:to_client,established; file_data; content:"MM"; within:2; distance:0; content:"|01 46 00 04|"; distance:0; byte_test:4,>,65535,0,relative,big;
reference:cve,2016-8331; reference:url,www.talosintelligence.com/reports/TALOS-2016-0190/; classtype:attempted-user; sid:1; rev:1;)

Special thanks for Talos / ex VRT.

Don't forget check variables.

Another sig exist with little endian... or using flowbits... or checking RCE too...

Please send any comments.

Regards
@Rmkml




More information about the Snort-sigs mailing list