On Wednesday 18 August 2004 5:03 pm, Joseph Gama wrote:
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
(msg:"libPNG - Remotely exploitable stack-based buffer
overrun in png_handle_tRNS";
pcre:"/\x89\x50\x4E\x47\x0D\x0A\x1A\x0A([\s\S]){17}\x03/Ri";
content:"tRNS"; byte_jump:4, -8, relative, big;
pcre:"/([\s\S]){8}/R";
pcre:"/([a-zA-Z]){2}[A-Z][a-zA-Z]/R";
reference:url,http.www.securiteam.com/unixfocus/5ZP0C0KDPG.html;
classtype:misc-activity; sid:2000000; rev:1;)
Joseph,
Can you explain why the rule above is preferable to the rule I submitted
on August 5th for the same vuln:
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE
libpng tRNS overflow attempt"; content:"|89|PNG|0D 0A 1A 0A|";
content:!"PLTE"; content:"tRNS"; byte_test:4,>,256,-8,relative,big;
flow:established,to_client; classtype:attempted-admin;
reference:cve,CAN-2004-0597; sid:2001058; rev:2;)
If you've looked at the PNG spec and have found a condition where my
rule would not fire but the exploit could still work, please let me
know. Also, since you are not checking for the absence of the PLTE
header (a necessary condition for the overflow to occur), is it
possible yours could have false positives?
-Joe
--
Joe Stewart, GCIH
Senior Security Researcher
LURHQ http://www.lurhq.com/
-------------------------------------------------------
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
