Notes about this new rule submission:
* The rule fires on a combination of an overly long, HTTP request-like
string and a URI that includes w3who.dll so false positives are
certainly possible but they should be fairly rare. If anybody knows
how to intelligently combine the two parts then I would be interested
to hear about it. (The only thing that comes to my mind is pcre /U but
it seems to have more problems than benefits in this particular case.)
* The original request-like regular expression was
/^\s*\w+[ \t]+\S{500,}+[ \t]+HTTP\//mi
but a very large request would cause stream4 to flush the beginning of
the request before it can get to the "HTTP/" tail. That would be
a vector for a false negative so the "HTTP/" tail test was removed:
/^\s*\w+[ \t]+\S{500}/m
The downside is that it potentially increases the occurrence of false
positives.
* Only GET method-like requests are detected.
Cheers,
nnposter
# This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others. References in the rules themselves
# should be used for linking to other's work.
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
#
# $Id$
#
#
Rule:
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS
(msg:"WEB-IIS w3who.dll overflow attempt"; flow:to_server,established;
uricontent:"/w3who.dll?"; nocase; pcre:"/^\s*\w+[ \t]+\S{500}/m";
reference:cve,2004-1135;
reference:url,www.exaprobe.com/labs/advisories/esa-2004-1206.html;
classtype:web-application-attack; sid:(tbd); rev:1;)
--
Sid:
(new)
--
Summary:
This event is generated when an attempt is made to exploit a buffer
overflow in Microsoft Browser Client Context Tool (W3Who.dll).
--
Impact:
Denial of service or remote access. If the exploit is successful,
an attacker can gain remote access to the host with system privileges.
--
Detailed Information:
W3Who is an Internet Server Application Programming Interface (ISAPI)
application dynamic-link library (DLL) that works within a Web page to
display information about the calling context of the client browser and
the configuration of the host server. W3Who is included in the Windows
2000 Server Resource Kit.
A boundary error within the processing of parameters can be exploited
to cause a buffer overflow by passing an overly long parameter.
--
Affected Systems:
Microsoft IIS with W3Who.dll. (W3Who.dll is not automatically installed
with IIS.)
--
Attack Scenarios:
An attacker can send a malformed HTTP request with an overly long
parameter to W3Who DLL, subsequently causing a buffer overflow.
--
Ease of Attack:
Simple
--
False Positives:
Any overly large request URI with a reference to w3who.dll will be
detected.
--
False Negatives:
This signature only detects the attack when the parameters are passed
as part of the URI (GET method).
--
Corrective Action:
Disable the W3Who.dll ISAPI extension.
--
Contributors:
http://www.exaprobe.com/labs/advisories/esa-2004-1206.html
nnposter@users.sourceforge.net
--
Additional References:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q323640#3
-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://productguide.itmanagersjournal.com/
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
