Re: [Snort-sigs] Lpd Solaris unlink file attempt false positives

THanks Nigel.

Any thoughts on why the falses? Was getting thousands of them (one for
every print job in every site :) ) till we disabled it.

Matt


On Tue, 2005-09-27 at 10:11 -0500, Nigel Houghton wrote:
> On  0, Matt Jonkman <matt@infotex.com> allegedly wrote:
> > No docs on this sig, so not sure what to compare to. Getting a ton of
> > false positives on very normal print jobs:
> >
> > 000 : 1D 03 7D B1 02 02 43 54 58 40 28 08 16 14 15 00   ..}...CTX@(.....
> > 010 : 0C 0F 10 02 55 00 0E 0C 0F 10 02 55 0E 0C 0D 0D   ....U......U....
> > 020 : 02 55 0E 15 30 40 00 01 20 00 30 00 02 00 00 10   .U..0@.. .0.....
> > 030 : 00 02 00 B8 FF C0 B4 13 14 02 55 00 B8 FF C0 40   ..........U....@
> > 040 : 11 11 11 02 55 00 00 0B 1B 25 11 07 00 07 10 07   ....U....%......
> > 050 : 02 07 B8 FF C0 B4 0F 10 02 55 07 B8 FF C0 B5 13   .........U......
> > 060 : 14 02 55 07 04 B8 FF D6 B4 13 14 02 55 04 B8 FF   ..U.........U...
> > 070 : CA B7 12 12 02 55 04 31 0B 0B 00 3F ED 2B 2B C4   .....U.1...?.++.
> > 080 : 2B 2B 5D 3F ED 12 39 2F 2B 2B 5D 5D 5D ED 01 2F   ++]?..9/++]]]../
> > 090 : 2B 2B DD 2B C0 2F CD C0 31 30 1B B1 06 02 43 54   ++.+./..10....CT
> > 0a0 : 58 40 1D 15 80 00 A0 00 B0 00 03 20 00 30 00 40   X@......... .0.@
> > 0b0 : 00 03 00 00 10 00 02 00 00 0B 1B 25 11 07 08 07   ...........%....
> > 0c0 : B8 FF C0 40 24 10 10 06 55 10 07 20 07 B0 07 03   ...@$...U.. ....
> > 0d0 : 00 07 60 07 80 07 A0 07 04 07 92 04 A2 04 B2 04   ..`.............
> > 0e0 : 03 04 31 0B 0B 07 08 16 14 B8 FF F4 40 26 0D 0D   ..1.........@&..
> > 0f0 : 06 55 14 14 1F 1E 15 00 0C 0D 0D 06 55 00 0C 0F   .U..........U...
> > 100 : 0F 06 55 00 0E 0C 0F 0F 06 55 0E 16 0D 0D 06 55   ..U......U.....U
> > 110 : 0E 0E 1F 1E 11 12 39 2F 2B 2B DD 2B 2B C0 11 12   ......9/++.++...
> > 120 : 39 2F 2B CD D0 CD 00 3F ED 5D C4 5D 5D 2B 32 3F   9/+....?.].]]+2?
> > 130 : ED 12 39 2F 5D 5D 5D CD 31 30 1B 40 19 12 5F 18   ..9/]]].10.@.._.
> > 140 : 5D 19 60 00 60 14 D6 03 05 19 20 1C 39 17 20 1C   ].`.`..... .9. .
> > 150 : 39 16 40 1C 39 1F B8 FF C0 40 0A 43 4A 34 08 1F   9.@.9....@.CJ4..
> > 160 : 43 0D 5D 36 1F B8 FF C0 B3 28 28 34 1F B8 FF C0   C.]6.....((4....
> > 170 : 40 53 2A 2E 34 1B 06 19 09 58 13 5E 16 5F 17 5A   @S*.4....X.^._.Z
> > 180 : 18 5B 1A 07 01 03 09 06 07 09 08 0C 05 15 49 06   .[............I.
> > 190 : 89 02 8C 06 87 0C 8A 10 85 1D A3 02 AB 18 B5 13   ................
> > 1a0 : D4 02 D9 0F DA 10 F4 02 F3 03 13 12 60 07 60 08   ............`.`.
> > 1b0 : 70 07 80 07 89 09 C1 07 C8 0F F0 07 08 04 01 07   p...............
> > 1c0 : 0D 84 02 03 09 BA FF E0 00 06 FF E0 40 4A 36 09   ............@J6.
> > 1d0 : 46 02 47 09 4F 1F 54 02 54 09 62 02 72 02 89 13   F.G.O.T.T.b.r...
> > 1e0 : 89 19 99 13 A4 09 A4 0A B8 08 B5 09 B0 0A C7 02   ................
> > 1f0 : E7 02 E0 0C F4 0A 14 08 D0 07 01 00 07 D0 07 02   ................
> > 200 : 71 07 01 00 07 10 07 20 07 90 07 A0 07 B0 07 06   q...... ........
> > 210 : 07 7D 04 14 00 30 16 15                           .}...0..
> >
> > What are we supposed to be looking for here?
>  
> Apologies for not getting the docs out for this, here is the Detail
> section for the rule:
>
> Detailed Information:
> A vulnerability exists in the Solaris operating system that may allow an
> unprivileged use to remove any file on a system using the line printer
> daemon. This can be done via the Unlink command which can be used to
> unlink any file on a local or remote sytem accepting connections to lpd.
>
> Solaris offers a printer daemon in.lpd that allows network users to
> print jobs over the network.  The receive printer job function allows a
> user to supply job control information for the print job.  A flaw exists
> in code that checks the job control information for a supplied file name
> to be deleted. It does not make sure that the supplied file name is
> located in the default printer queue directory, permitting arbitrary
> files to be deleted.
>
> The 'U' command instructs the LPD to unlink a file on completion of a
> printing job. By supplying this command in an instruction to the LPD,
> an attacker is able to remove any file on the remote system.
>
> +--------------------------------------------------------------------+
>      Nigel Houghton      Research Engineer       Sourcefire Inc.
>                    Vulnerability Research Team
>
>  I require a window seat and an inflight Happy Meal, and no pickles! 
>  God help you if I find pickles!
>
>
> -------------------------------------------------------
> SF.Net email is sponsored by:
> Tame your development challenges with Apache's Geronimo App Server. Download
> it for free - -and be entered to win a 42" plasma tv or your very own
> Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
-- 
--------------------------------------------
Matthew Jonkman, CISSP
Senior Security Engineer
Infotex
765-429-0398 Direct Anytime
765-448-6847 Office
866-679-5177 24x7 NOC
my.infotex.com
www.offsitefilter.com
www.bleedingsnort.com
--------------------------------------------


NOTICE: The information contained in this email is confidential
and intended solely for the intended recipient. Any use,
distribution, transmittal or retransmittal of information
contained in this email by persons who are not intended
recipients may be a violation of law and is strictly prohibited.
If you are not the intended recipient, please contact the sender
and delete all copies.



-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs