Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security ISSForum
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ISSForum] HTML_Mshtml_Overflow

from [Soldatov, Sergey V.] Network Security [Permanent Link]
Subject: Re: [ISSForum] HTML_Mshtml_Overflow
Date: Thu, 11 May 2006 16:43:24 +0400 

Jason,
Thanks very much for your explanation!
I think that ISS should give us a pam parameter to configure number of
scrip action handlers (in this case I simply increase this param) or
somehow rewrite signature to reduce a number of false positives.

Thanks again.
Good luck!

-- Sergey



-----Original Message-----
From: Jason Baeder [mailto:jason_baeder@yahoo.com] 
Sent: Monday, May 08, 2006 7:13 PM
To: Soldatov, Sergey V.; issforum@iss.net
Subject: Re: [ISSForum] HTML_Mshtml_Overflow

This bit from the CVE entry makes for interesting reading:

'Buffer overflow in mshtml.dll in Microsoft Internet Explorer 
6.0.2900.2180, and probably other versions, allows remote 
attackers to execute arbitrary code via an HTML tag with a 
large number of script action handlers such as onload and 
onmouseover, as demonstrated using onclick, aka the "Multiple 
Event Handler Memory Corruption Vulnerability." '

There is demo page here:
http://lcamtuf.coredump.cx/iedie.html

Some code from the page looks like this:

<html><body><img
src=http://lcamtuf.coredump.cx/photo/current/m2A.jpg><foo  
onclick=bork onclick=bork onclick=bork onclick=bork 
onclick=bork onclick=bork onclick=bork onclick=bork 
onclick=bork onclick=bork onclick=bork onclick=bork 
onclick=bork.........


It is possible that ISS is counting "large number[s] of 
script action handlers" in web pages (those "onclick" actions 
above) and false positives come from either 1) alerting on 
too few actions*, or 2) alerting on the right number of 
actions, but they are in non-malicious web pages.  

*There doesn't seem to be agreeement on how many is too many.

In this case, there is probably no way to distinguish the 
malicious page from the non-malicious automagically.  I see a 
lot of these events from web-based mail sites (like Yahoo), 
online shopping and travel sites, and other feature-rich 
sites.  The key here is "feature-rich site"; lots of buttons 
and actions.  With this and other similar sigs, it takes an 
alert (pun intended) analyst to 1) weed out the innocuous 
sites, 2) correllate any malicious activity from the target 
after the event occurred (assuming it does something to 
attract the attention of the IDS), and 3) confirm that the 
target host is patched to current.

Interestingly, we also see alerts for this sig from traffic 
between our inbound mail gateway and the spam-scrubbers.  I 
haven't seen the spam itself, but I'm guessing maybe it was 
HTML-based(??).  And, yes, that would mean that ISS is 
analyzing SMTP traffic with this signature.

Jason

--- "Soldatov, Sergey V." <SVSoldatov@tnk-bp.com> wrote:


I see HTML_Mshtml_Overflow event generated from:
62.140.23.27
81.177.28.61

Why? Is that false posititves? How to configure 

HTML_Mshtml_Overflow 

signature to mitigate such FPs? How does HTML_Mshtml_Overflow work?
What
does it search for?

Thanks.

---
Best regards, Sergey V. Soldatov.
Information security department.
tel/fax +7 495 745 89 50
tel +7 495 777 77 07 (1613)


_______________________________________________
ISSForum mailing list
ISSForum@iss.net

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to 
https://atla-mm1.iss.net/mailman/listinfo/issforum

To contact the ISSForum Moderator, send email to 

mod-issforum@iss.net


The ISSForum mailing list is hosted and managed by Internet 

Security 

Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.




__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection 
around http://mail.yahoo.com 




_______________________________________________
ISSForum mailing list
ISSForum@iss.net

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to 
https://atla-mm1.iss.net/mailman/listinfo/issforum

To contact the ISSForum Moderator, send email to mod-issforum@iss.net

The ISSForum mailing list is hosted and managed by Internet Security Systems, 
6303 Barfield Road, Atlanta, Georgia, USA 30328.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [ISSForum] HTML_Mshtml_Overflow, Jason Baeder
Next by Date:  [ISSForum] Information about ServerSensor on AIX 5.3, German A Suarez Nahon
Previous by Thread:  Re: [ISSForum] HTML_Mshtml_Overflow, Jason Baeder
Next by Thread:  Re: [ISSForum] HTML_Mshtml_Overflow, Soldatov, Sergey V.
Indexes:  [Date] [Thread] [Top] [All Lists]