Re: [Snort-sigs] JPEG / GDI+ DLL exploit sig?

Couple problems with these rules, what happens if the JPEG is part of an
email? What other ways would the jpeg enter our network?

Has anyone looked at exploit code that is listed on

http://www.k-otik.com/exploits/09222004.ms04-28-cmd.c.php

I haven't had a chance to check to see if it would be detected by this rule.



> The problem is that there is no guaranteed offset, the COM(comment)
> section can be right after SOI (start of image) or after the JFIF
> marker, if there is one, etc...  And the JFIF marker itself can be
> 65535 bytes in length.
>
> I wrote one that looks for the SOI, COM and Huffman table start and I
> still get lots of false positives, I have yet to find a good way to
> eliminate false positives.  There is alot of flexibility in the
> formatting of a jpeg and that makes this difficult.
>
> On Tue, 21 Sep 2004 09:57:22 +0100, Chas Tomlin <cet@ecs.soton.ac.uk>
> wrote:
> > Hi,
> >
> > I'm using these rules to spot malicious jpegs.
> >
> > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT
> > jpeg vulnerability"; flow:to_client,established; content:"Content-Type\:
> > image/jpeg"; content:"|FF FE 00 00|"; classtype:attempted-user;
> > sid:3000363; rev:10;)
> >
> > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT
> > jpeg vulnerability"; flow:to_client,established; content:"Content-Type\:
> > image/jpeg"; content:"|FF FE 00 01|"; classtype:attempted-user;
> > sid:3000363; rev:10;)
> >
> > So far I haven't seen any, just a few false positives. I think the rules
> > could be improved by specifying an offset for the COM length (00 0)/00
> > 01).
> >
> > Chas
> >
> >
> >
> >
> > -----Original Message-----
> > From: snort-sigs-admin@lists.sourceforge.net
> > [mailto:snort-sigs-admin@lists.sourceforge.net] On Behalf Of Frank
> > Knobbe
> > Sent: 20 September 2004 18:07
> > To: snort-sigs@lists.sourceforge.net
> > Subject: [Snort-sigs] JPEG / GDI+ DLL exploit sig?
> >
> > Greetings,
> >
> > it seems there are now three Proof-of-Concept exploits out for the JPEG
> > handling issue in the GDI+ DLL (MS04-028).
> >
> > Does anyone have a signature for this yet? Preferable on the problem
> > (like the libpng issue) and not just pattern match on the exploits.
> >
> > Cheers,
> > Frank
> >
> >
> > -------------------------------------------------------
> > This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
> > Project Admins to receive an Apple iPod Mini FREE for your judgement on
> > who ports your project to Linux PPC the best. Sponsored by IBM.
> > Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
> > _______________________________________________
> > Snort-sigs mailing list
> > Snort-sigs@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
> Project Admins to receive an Apple iPod Mini FREE for your judgement on
> who ports your project to Linux PPC the best. Sponsored by IBM.
> Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs




-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs