Re: [ISSForum] HTML_Mshtml_Overflow

Sorry, it's documented in new PAM documentation (KB #2190). I have been
working with old one... It's my mistake.

Thanks a lot!

--- Sergey

> -----Original Message-----
> From: Means, David (ISS Atlanta) [mailto:DMeans@iss.net] 
> Sent: Friday, May 12, 2006 8:21 PM
> To: Soldatov, Sergey V.
> Subject: RE: [ISSForum] HTML_Mshtml_Overflow
>
> Sergey:
>
> The tuning param you're looking for is pam.html.mshtml.bo
>
> It should be documented in the help, if its' not, please le 
> me know and I'll open a change request.
>
>
> David Means
> Team Lead / X-Force PAM Development
> Internet Security Systems
> 6303 Barfield Road
> Atlanta, GA. 30328
> Office: 404-236-2842
>
> -----Original Message-----
> From: issforum-bounces@atla-mm1.iss.net On Behalf Of 
> Soldatov, Sergey V.
> Sent: Thursday, May 11, 2006 8:43 AM
> To: issforum@atla-mm1.iss.net
> Subject: Re: [ISSForum] HTML_Mshtml_Overflow
>
>
> Jason,
> Thanks very much for your explanation!
> I think that ISS should give us a pam parameter to configure 
> number of scrip action handlers (in this case I simply 
> increase this param) or somehow rewrite signature to reduce a 
> number of false positives.
>
> Thanks again.
> Good luck!
>
> -- Sergey
>
>
> > -----Original Message-----
> > From: Jason Baeder [mailto:jason_baeder@yahoo.com]
> > Sent: Monday, May 08, 2006 7:13 PM
> > To: Soldatov, Sergey V.; issforum@iss.net
> > Subject: Re: [ISSForum] HTML_Mshtml_Overflow
> >
> > This bit from the CVE entry makes for interesting reading:
> >
> > 'Buffer overflow in mshtml.dll in Microsoft Internet Explorer 
> > 6.0.2900.2180, and probably other versions, allows remote 
> attackers to 
> > execute arbitrary code via an HTML tag with a large number 
> of script 
> > action handlers such as onload and onmouseover, as 
> demonstrated using 
> > onclick, aka the "Multiple Event Handler Memory Corruption 
> > Vulnerability." '
> >
> > There is demo page here:
> > http://lcamtuf.coredump.cx/iedie.html
> >
> > Some code from the page looks like this:
> >
> > <html><body><img
> > src=http://lcamtuf.coredump.cx/photo/current/m2A.jpg><foo
> > onclick=bork onclick=bork onclick=bork onclick=bork onclick=bork 
> > onclick=bork onclick=bork onclick=bork onclick=bork onclick=bork 
> > onclick=bork onclick=bork onclick=bork.........
> >
> >
> > It is possible that ISS is counting "large number[s] of 
> script action 
> > handlers" in web pages (those "onclick" actions
> > above) and false positives come from either 1) alerting on too few 
> > actions*, or 2) alerting on the right number of actions, 
> but they are 
> > in non-malicious web pages.
> >
> > *There doesn't seem to be agreeement on how many is too many.
> >
> > In this case, there is probably no way to distinguish the malicious 
> > page from the non-malicious automagically.  I see a lot of these 
> > events from web-based mail sites (like Yahoo), online shopping and 
> > travel sites, and other feature-rich sites.  The key here is 
> > "feature-rich site"; lots of buttons and actions.  With 
> this and other 
> > similar sigs, it takes an alert (pun intended) analyst to 
> 1) weed out 
> > the innocuous sites, 2) correllate any malicious activity from the 
> > target after the event occurred (assuming it does something 
> to attract 
> > the attention of the IDS), and 3) confirm that the target host is 
> > patched to current.
> >
> > Interestingly, we also see alerts for this sig from traffic between 
> > our inbound mail gateway and the spam-scrubbers.  I haven't 
> seen the 
> > spam itself, but I'm guessing maybe it was HTML-based(??).  
> And, yes, 
> > that would mean that ISS is analyzing SMTP traffic with this 
> > signature.
> >
> > Jason
> >
> > --- "Soldatov, Sergey V." <SVSoldatov@tnk-bp.com> wrote:
> >
> > > I see HTML_Mshtml_Overflow event generated from:
> > > 62.140.23.27
> > > 81.177.28.61
> > >
> > > Why? Is that false posititves? How to configure
> > HTML_Mshtml_Overflow
> > > signature to mitigate such FPs? How does 
> HTML_Mshtml_Overflow work?
> > > What
> > > does it search for?
> > >
> > > Thanks.
> > >
> > > ---
> > > Best regards, Sergey V. Soldatov.
> > > Information security department.
> > > tel/fax +7 495 745 89 50
> > > tel +7 495 777 77 07 (1613)
> > >
> > >
> > > _______________________________________________
> > > ISSForum mailing list
> > > ISSForum@iss.net
> > >
> > > TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to 
> > > https://atla-mm1.iss.net/mailman/listinfo/issforum
> > >
> > > To contact the ISSForum Moderator, send email to
> > mod-issforum@iss.net
> > > The ISSForum mailing list is hosted and managed by Internet
> > Security
> > > Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.
> >
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Tired of spam?  Yahoo! Mail has the best spam protection around 
> > http://mail.yahoo.com
>
>
> _______________________________________________
> ISSForum mailing list
> ISSForum@iss.net
>
> TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
> https://atla-mm1.iss.net/mailman/listinfo/issforum
>
> To contact the ISSForum Moderator, send email to mod-issforum@iss.net
>
> The ISSForum mailing list is hosted and managed by Internet Security
> Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.


_______________________________________________
ISSForum mailing list
ISSForum@iss.net

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to 
https://atla-mm1.iss.net/mailman/listinfo/issforum

To contact the ISSForum Moderator, send email to mod-issforum@iss.net

The ISSForum mailing list is hosted and managed by Internet Security Systems, 
6303 Barfield Road, Atlanta, Georgia, USA 30328.