Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Signatures
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Snort-sigs] sig 2671

from [James Affeld] Network Security [Permanent Link]
Subject: [Snort-sigs] sig 2671
Date: Fri, 12 Nov 2004 13:08:24 -0800 (PST) 
WEB-CLIENT bitmap BitmapOffset integer overflow
attempt

I'm getting a lot of alerts for this, from some pretty
mainstream nets.  

 166.90.133.246 Level 3 Communications, Inc.
 198.107.152.199 Verio, Inc.
 209.246.22.102 Level 3 Communications, Inc.
 209.249.114.36 Akamai
 38.113.220.14 Performance Systems International Inc.
 63.215.64.22 Level 3 Communications, Inc.
 64.215.168.129 Global Crossing
 68.237.164.137 Verizon Internet

I suppose it's possible they are all hosting hostile
web sites, but the websites I've found using .CHM
exploits so far seem to be on much dodgier, off-brand
providers.  One file is
us.yimg.com/i/tb/icons/qsbm.bmp

yimg.com is owned by yahoo - so is Yahoo trying to pwn
all 0ur b0x3n?  Not by indirect means, I think. 

To the extent that I grok the exploit (courtesy
http://archives.neohapsis.com/archives/fulldisclosure/2004-02/0806.html),
a .bmp file with an offset value greater than a signed
int can convey will give a buffer overflow in ie 5.x.

I don't know the structure of bitmap files, so I'm not
in a position to say whether the files on these sites
represent an actual attempt to do evil.   It looks
like the file may have some problems - but it does
display o.k.  Mcafee triggers on the POC bitmap but
does not on this one. Either mcafee is up to the usual
tricks - using harmless POC for a too-specific
signature or possibly they have a more useful, more
specific understanding of the problem. 


Here's the partial packet (apologies in advance for
borked formatting):
10:59:55.447926 209.246.22.88.80 >
xxx.yyy.101.49.3018: P 4164933892:4164934476(
584) ack 2769532247 win 8576 (DF) (ttl 56, id 41497)
  0000: 4500 0270 a219 4000 3806 a852 d1f6 1658 
E..p".@.8.(RQv.X
  0010: xxyy 6531 0050 0bca f83f d904 a513 b557 
(.e1.P.Jx?Y.%.5W
  0020: 5018 2180 7132 0000 4854 5450 2f31 2e30 
P.!.q2..HTTP/1.0
  0030: 2032 3030 204f 4b0d 0a43 6f6e 7465 6e74   200
OK..Content
  0040: 2d54 7970 653a 2069 6d61 6765 2f62 6d70 
-Type: image/bmp
  0050: 0d0a 436f 6e74 656e 742d 4c65 6e67 7468 
..Content-Length
  0060: 3a20 3337 320d 0a4c 6173 742d 4d6f 6469  :
372..Last-Modi
  0070: 6669 6564 3a20 4672 692c 2031 3520 4170  fied:
Fri, 15 Ap
  0080: 7220 3139 3934 2030 303a 3030 3a30 3020  r
1994 00:00:00
  0090: 474d 540d 0a44 6174 653a 204d 6f6e 2c20 
GMT..Date: Mon,
  00a0: 3038 204e 6f76 2032 3030 3420 3138 3a35  08
Nov 2004 18:5
  00b0: 393a 3535 2047 4d54 0d0a                 9:55
GMT..

Here's the packet that requested it:

10:59:55.421368 xxx.yyy.101.49.3018 >
209.246.22.88.80: P 2769532031:2769532247(
216) ack 4164933892 win 64240 (DF) (ttl 128, id 7916)
  0000: 4500 0100 1eec 4000 8006 e4ef xxyy 6531 
E....l@...do(.e1
  0010: d1f6 1658 0bca 0050 a513 b47f f83f d904 
Qv.X.J.P%.4.x?Y.
  0020: 5018 faf0 ab71 0000 4745 5420 2f75 732e 
P.zp+q..GET /us.
  0030: 7969 6d67 2e63 6f6d 2f69 2f74 622f 6963 
yimg.com/i/tb/ic
  0040: 6f6e 732f 7173 626d 2e62 6d70 2048 5454 
ons/qsbm.bmp HTT
  0050: 502f 312e 310d 0a41 6363 6570 743a 202a 
P/1.1..Accept: *
  0060: 2f2a 0d0a 5573 6572 2d41 6765 6e74 3a20 
/*..User-Agent:
  0070: 4d6f 7a69 6c6c 612f 342e 3020 2863 6f6d 
Mozilla/4.0 (com
  0080: 7061 7469 626c 653b 204d 5349 4520 362e 
patible; MSIE 6.
  0090: 303b 2057 696e 646f 7773 204e 5420 352e  0;
Windows NT 5.
  00a0: 313b 202e 4e45 5420 434c 5220 312e 312e  1;
.NET CLR 1.1.
  00b0: 3433 3232 290d 0a48 6f73                
4322)..Hos




                
__________________________________ 
Do you Yahoo!? 
Check out the new Yahoo! Front Page. 
www.yahoo.com 
 



-------------------------------------------------------
This SF.Net email is sponsored by: InterSystems CACHE
FREE OODBMS DOWNLOAD - A multidimensional database that combines
robust object and relational technologies, making it a perfect match
for Java, C++,COM, XML, ODBC and JDBC. www.intersystems.com/match8
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Snort-sigs] (no subject), Doug McLean
Next by Date:  [Snort-sigs] False Positive Report for SID 2109, Peter M. Abraham
Previous by Thread:  [Snort-sigs] (no subject), Doug McLean
Next by Thread:  Re: [Snort-sigs] sig 2671, Matthew Watchinski
Indexes:  [Date] [Thread] [Top] [All Lists]