Network Security: Detailed info on Re: [Snort-sigs] JPEG / GDI+ DLL exploit sig?

Subject:	Re: [Snort-sigs] JPEG / GDI+ DLL exploit sig?
Date:	Tue, 21 Sep 2004 11:06:12 -0500

The problem is that there is no guaranteed offset, the COM(comment)
section can be right after SOI (start of image) or after the JFIF
marker, if there is one, etc...  And the JFIF marker itself can be
65535 bytes in length.

I wrote one that looks for the SOI, COM and Huffman table start and I
still get lots of false positives, I have yet to find a good way to
eliminate false positives.  There is alot of flexibility in the
formatting of a jpeg and that makes this difficult.

On Tue, 21 Sep 2004 09:57:22 +0100, Chas Tomlin <cet@ecs.soton.ac.uk> wrote:

Hi,

I'm using these rules to spot malicious jpegs.

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT
jpeg vulnerability"; flow:to_client,established; content:"Content-Type\:
image/jpeg"; content:"|FF FE 00 00|"; classtype:attempted-user;
sid:3000363; rev:10;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT
jpeg vulnerability"; flow:to_client,established; content:"Content-Type\:
image/jpeg"; content:"|FF FE 00 01|"; classtype:attempted-user;
sid:3000363; rev:10;)

So far I haven't seen any, just a few false positives. I think the rules
could be improved by specifying an offset for the COM length (00 0)/00
01).

Chas




-----Original Message-----
From: snort-sigs-admin@lists.sourceforge.net
[mailto:snort-sigs-admin@lists.sourceforge.net] On Behalf Of Frank
Knobbe
Sent: 20 September 2004 18:07
To: snort-sigs@lists.sourceforge.net
Subject: [Snort-sigs] JPEG / GDI+ DLL exploit sig?

Greetings,

it seems there are now three Proof-of-Concept exploits out for the JPEG
handling issue in the GDI+ DLL (MS04-028).

Does anyone have a signature for this yet? Preferable on the problem
(like the libpng issue) and not just pattern match on the exploits.

Cheers,
Frank


-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs



-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

<Prev in Thread]	Current Thread	[Next in Thread>
[Snort-sigs] JPEG / GDI+ DLL exploit sig?, Frank Knobbe RE: [Snort-sigs] JPEG / GDI+ DLL exploit sig?, Chas Tomlin RE: [Snort-sigs] JPEG / GDI+ DLL exploit sig?, Frank Knobbe Re: [Snort-sigs] JPEG / GDI+ DLL exploit sig?, Paul Tinsley <= Re: [Snort-sigs] JPEG / GDI+ DLL exploit sig?, Mailing Lists

Previous by Date:	RE: [Snort-sigs] JPEG / GDI+ DLL exploit sig?, Frank Knobbe
Next by Date:	Re: [Snort-sigs] PCRE for SS#'s, Matt Jonkman
Previous by Thread:	RE: [Snort-sigs] JPEG / GDI+ DLL exploit sig?, Frank Knobbe
Next by Thread:	Re: [Snort-sigs] JPEG / GDI+ DLL exploit sig?, Mailing Lists
Indexes:	[Date] [Thread] [Top] [All Lists]