Format string attempts by nature try to "walk through" the STACK and read and
write to arbitrary memory locations of a vulnerable functions.
%x format string shows the content of a memory in Hexadecimal and
%n format string writes the number of bytes read so far to the given memory
address.
For instance,
scanf(var1);
printf(var1);
is vulnerable to format string vulnerability as the printf() function outputs
the user supplied data without imposing any format string.
In this case, a malicious user might supply some ill data like,
"AAAAAAAAAAAAA%x%x%x%x%x%x%x%234x"
and will try to walk through the STACK.
Hope this helps.
M./
-----Original Message-----
From: Paul Schmehl [mailto:pauls@utdallas.edu]
Sent: Friday, August 20, 2004 9:33 AM
To: snort-sigs@lists.sourceforge.net
Subject: [Snort-sigs] SID 2417
Can someone explain exactly what this rule is supposed to detect? I'm not
referring to the packet itself, but to the attack methodology. I can see
that it looks for a string of characters with percent signs interspersed,
which is obviously encoding, and it certainly does that, but what exactly
is the nature of the attack that's it's detecting?
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP format string
attempt"; flow:to_server,established; content:"%"; pcre:"/\s+.*?%.*?%/smi";
classtype:string-detect; sid:2417; rev:1;)
Here's one packet:
50 41 53 56 0D 0A 52 45 54 52 20 2F 68 6F 6D 65 PASV..RETR /home
2F 30 30 31 2F 6C 2F 6C 78 2F 6C 78 6F 30 31 35 /001/l/lx/lxo015
30 30 30 2F 70 75 62 6C 69 63 5F 68 74 6D 6C 2F 000/public_html/
50 68 6F 74 6F 2F 4D 75 6E 6B 61 68 65 6C 79 2F Photo/Munkahely/
65 62 65 64 5F 73 7A 75 6E 65 74 5F 6B 2E 6A 70 ebed_szunet_k.jp
67 0D 0A 33 61 25 32 66 25 32 66 62 61 79 39 25 g..3a%2f%2fbay9%
32 65 6F 65 25 32 65 68 6F 74 6D 61 69 6C 25 32 2eoe%2ehotmail%2
65 63 6F 6D 25 32 66 63 67 69 25 32 64 62 69 6E ecom%2fcgi%2dbin
25 32 66 68 6D 64 61 74 61 25 32 66 64 61 6F 6F %2fhmdata%2fdaoo
64 25 34 30 68 6F 74 6D 61 69 6C 25 32 65 63 6F d%40hotmail%2eco
6D 25 33 66 26 6C m%3f&l
Paul Schmehl (pauls@utdallas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/ir/security/
-------------------------------------------------------
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
-------------------------------------------------------
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
