Joe,
I can see that you based your rule on the source code
with the else if vulnerability. I based mine on the
code and comments from the exploit which is why you
look for PLTE while I look for the 0x03 because:
* to 0x03, byte 10 of the IHDR data. that signfies
that a PALLETE chunk should
* be present. but we dont have one, and that is how
the len check is bypassed.
I tested my rule and it detects pngtest_bad.png, plus
I browsed through hundreds of PNG's and got no false
positives. I haven't tested yours, I didn't see it
before.
Which solution is better? I think that it would be ok
to have both because they look for the same thing in
different ways. Let people test them and find out if
there are false posistives.
Peace,
Joseph
--- Joe Stewart <jstewart@lurhq.com> wrote:
On Wednesday 18 August 2004 5:03 pm, Joseph Gama
wrote:
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET
any
(msg:"libPNG - Remotely exploitable stack-based
buffer
overrun in png_handle_tRNS";
pcre:"/\x89\x50\x4E\x47\x0D\x0A\x1A\x0A([\s\S]){17}\x03/Ri";
content:"tRNS"; byte_jump:4, -8, relative, big;
pcre:"/([\s\S]){8}/R";
pcre:"/([a-zA-Z]){2}[A-Z][a-zA-Z]/R";
reference:url,http.www.securiteam.com/unixfocus/5ZP0C0KDPG.html;
classtype:misc-activity; sid:2000000; rev:1;)
Joseph,
Can you explain why the rule above is preferable to
the rule I submitted
on August 5th for the same vuln:
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
(msg:"BLEEDING-EDGE
libpng tRNS overflow attempt"; content:"|89|PNG|0D
0A 1A 0A|";
content:!"PLTE"; content:"tRNS";
byte_test:4,>,256,-8,relative,big;
flow:established,to_client;
classtype:attempted-admin;
reference:cve,CAN-2004-0597; sid:2001058; rev:2;)
If you've looked at the PNG spec and have found a
condition where my
rule would not fire but the exploit could still
work, please let me
know. Also, since you are not checking for the
absence of the PLTE
header (a necessary condition for the overflow to
occur), is it
possible yours could have false positives?
-Joe
--
Joe Stewart, GCIH
Senior Security Researcher
LURHQ http://www.lurhq.com/
-------------------------------------------------------
SF.Net email is sponsored by Shop4tech.com-Lowest
price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R
for only $33
Save 50% off Retail on Ink & Toner - Free Shipping
and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
__________________________________
Do you Yahoo!?
Yahoo! Mail is new and improved - Check it out!
http://promotions.yahoo.com/new_mail
-------------------------------------------------------
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
