[Snort-users] Alert help, web-client 3ivx MP4 file parsing cmt buffer overflow attempt
Shawn.Jefferson at ...14448...
Thu Mar 26 13:03:21 EDT 2009
1. If my system wasn't running the affected application, then it is a false positive, but may still be a genuine attack, and that may be interesting to me.
1. This would be the case that I'm trying to verify by asking the question here. This doesn't look like an MP4 file to me, and my theory is that the alert is triggered falsely on this packet.
Further questions I have:
1. Content-Encoding: gzip, does this mean that the HTTP content is actually compressed, and what does snort do with this, if anything?
Like I said, I've seen other alerts triggered by what looks like picture files to me (JPEG, GIF for instance).
From: jcummings at ...1935... [mailto:jcummings at ...1935...] On Behalf Of JJ Cummings
Sent: March 25, 2009 4:51 PM
To: Jefferson, Shawn
Cc: Snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Alert help, web-client 3ivx MP4 file parsing cmt buffer overflow attempt
you can ascertain this by asking yourself some simple questions:
1: Is the system that this is alerting affected by this, I.E. is it a system running the affected version of Microsoft Windows Media Player with the appropriate codecs?
2: Is the file in question that is causing the alert even an mp4 file? Since you suspect that it's not, verify this... if it is, see question 1
Answer both of those and You'll find the answer...
1:13318: Stack-based buffer overflow in mplayer2.exe in Microsoft Windows Media Player (WMP) 6.4, when used with the 3ivx 4.5.1 or 5.0.1 codec, allows remote attackers to execute arbitrary code via a certain .mp4 file, possibly a related issue to CVE-2007-6402.
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT 3ivx MP4 file parsing cmt buffer overflow attempt"; flow:to_client, established; content:"|A9|cmt"; byte_test:4, >, 512, 0, relative; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,26773; reference:cve,2007-6401; classtype:attempted-user; sid:13318; rev:2;)
On Wed, Mar 25, 2009 at 4:44 PM, Jefferson, Shawn <Shawn.Jefferson at ...14534......<mailto:Shawn.Jefferson at ...14448...>> wrote:
I had an alert triggered today, WEB-CLIENT 3ivx MP4 file parsing cmt buffer overflow attempt (1:13318), and I'm thinking this is a false positive. The snort page for the alert doesn't list any known false positives.
Some of the payload info:
HTTP/1.1 200 OK
Date: Wed, 25 Mar 2009 20:51:54 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: made_write_conn=1238014314; path=/; domain=.facebook.com<http://facebook.com>
Set-Cookie: cur_max_lag=3; path=/; domain=.facebook.com<http://facebook.com>; httponly
Also, if this is a false positive, how do I go about helping fill out the snort alert DB on the website?
Snort-users mailing list
Snort-users at lists.sourceforge.net<mailto:Snort-users at lists.sourceforge.net>
Go to this URL to change user options or unsubscribe:
Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users> list archive:
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users