[Snort-users] Alert help, web-client 3ivx MP4 file parsing cmt buffer overflow attempt

Jefferson, Shawn Shawn.Jefferson at ...14448...
Thu Mar 26 13:03:21 EDT 2009


1. If my system wasn't running the affected application, then it is a false positive, but may still be a genuine attack, and that may be interesting to me.

 1.  This would be the case that I'm trying to verify by asking the question here.  This doesn't look like an MP4 file to me, and my theory is that the alert is triggered falsely on this packet.

Further questions I have:

 1.  Content-Encoding: gzip, does this mean that the HTTP content is actually compressed, and what does snort do with this, if anything?

 1.  Content-type field.  Can this be relied upon to determine whether or not the exploit was "real" ?  I've seen some malware download files from website and the content type is text, but in the case of exploiting a browser or browser-plugin, my instinct is that the content type needs to be accurate, or the browser/application isn't going to process the data.  In the case below, of the media player exploit, if the type is a javascript, then it isn't going to get played by Media Player (??).

Like I said, I've seen other alerts triggered by what looks like picture files to me (JPEG, GIF for instance).

From: jcummings at ...1935... [mailto:jcummings at ...1935...] On Behalf Of JJ Cummings
Sent: March 25, 2009 4:51 PM
To: Jefferson, Shawn
Cc: Snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Alert help, web-client 3ivx MP4 file parsing cmt buffer overflow attempt


you can ascertain this by asking yourself some simple questions:

1: Is the system that this is alerting affected by this, I.E. is it a system running the affected version of Microsoft Windows Media Player with the appropriate codecs?

2: Is the file in question that is causing the alert even an mp4 file?  Since you suspect that it's not, verify this... if it is, see question 1

Answer both of those and You'll find the answer...

1:13318: Stack-based buffer overflow in mplayer2.exe in Microsoft Windows Media Player (WMP) 6.4, when used with the 3ivx 4.5.1 or 5.0.1 codec, allows remote attackers to execute arbitrary code via a certain .mp4 file, possibly a related issue to CVE-2007-6402.

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT 3ivx MP4 file parsing cmt buffer overflow attempt"; flow:to_client, established; content:"|A9|cmt"; byte_test:4, >, 512, 0, relative; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,26773; reference:cve,2007-6401; classtype:attempted-user; sid:13318; rev:2;)
On Wed, Mar 25, 2009 at 4:44 PM, Jefferson, Shawn <Shawn.Jefferson at ...14534......<mailto:Shawn.Jefferson at ...14448...>> wrote:
I had an alert triggered today, WEB-CLIENT 3ivx MP4 file parsing cmt buffer overflow attempt (1:13318), and I'm thinking this is a false positive.  The snort page for the alert doesn't list any known false positives.

Some of the payload info:

HTTP/1.1 200 OK
Date: Wed, 25 Mar 2009 20:51:54 GMT
Server: Apache/1.3.41.fb2
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: made_write_conn=1238014314; path=/; domain=.facebook.com<http://facebook.com>
Set-Cookie: cur_max_lag=3; path=/; domain=.facebook.com<http://facebook.com>; httponly
X-Cnection: close
Transfer-Encoding: chunked
Content-Type: application/x-javascript; charset=utf-8
Content-Encoding: gzip

The reason I think it may be a false positive, is the fact that this appears to be a javascript, and is gzipped (??).  I've seen other alerts triggered by JPEGs, and I've always assumed they were false positives, but I wanted to run it by all you because I could be missing something!

Also, if this is a false positive, how do I go about helping fill out the snort alert DB on the website?



Snort-users mailing list
Snort-users at lists.sourceforge.net<mailto:Snort-users at lists.sourceforge.net>
Go to this URL to change user options or unsubscribe:
Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users> list archive:

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20090326/035ddb98/attachment.html>

More information about the Snort-users mailing list