Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Signatures
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Snort-sigs] IE Vulnerability Analysis and Detection

from [Sourcefire VRT] Network Security [Permanent Link]
Subject: [Snort-sigs] IE Vulnerability Analysis and Detection
Date: Fri, 24 Mar 2006 21:24:37 -0500 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The Sourcefire Vulnerability Research Team (VRT) has learned of two
vulnerabilities in Microsoft Internet Explorer that have been released
and currently remain unpatched. The following advisory provides detailed
analysis from VRT testing as well as suggested rules to detect recent
exploits.

Vulnerability Overview:

1. Bugtraq ID 17131 - Microsoft Internet Explorer Script Action Handler
Buffer Overflow Vulnerability

2. Bugtraq ID 17196 - Microsoft Internet Explorer CreateTextRange Remote
Code Execution Vulnerability

VRT Analysis:

The VRT has conducted extensive research into how these vulnerabilities
work and how to detect the current exploits that have been released.
These rules may also detect future variants.

Currently our research into Bugtraq 17131 shows that roughly 100 of
these action handlers are required in a single tag to trigger the
vulnerability.  It can be any combination of these action handlers as
long as it is roughly 100 of them in the same tag.

Additionally, research into Bugtraq 17196 shows that this vulnerability
is triggered by the use of the createTextRange function in an
inappropriate object or HTML tag that will be parsed by Internet
Explorer.  This vulnerability relies solely on the usage of this
function in conjunction with objects that do not support it.

Detection:

The nature of these vulnerabilities is such that the generic
vulnerability detection required for VRT Certified Rules is not
practical, however, the VRT has released the following rules to the
Community ruleset as well as explanations of the limitations of each.

For Bugtraq ID 17131:

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"COMMUNITY
WEB-CLIENT Internet Explorer intrinsic event heap overflow attempt";
flow:established; content:"on"; nocase;
pcre:"on(afterupdate|(db)?click|help|key(up|down|press)|mouse(up|down|move|o(ut|ver))|(drag|select)start|r(owe(xit|nter)|eadystatechange))/iR";
pcre:"on(afterupdate|(db)?click|help|key(up|down|press)|mouse(up|down|move|o(ut|ver))|(drag|select)start|r(owe(xit|nter)|eadystatechange))/iR";
pcre:"on(afterupdate|(db)?click|help|key(up|down|press)|mouse(up|down|move|o(ut|ver))|(drag|select)start|r(owe(xit|nter)|eadystatechange))/iR";
pcre:"on(afterupdate|(db)?click|help|key(up|down|press)|mouse(up|down|move|o(ut|ver))|(drag|select)start|r(owe(xit|nter)|eadystatechange))/iR";
pcre:"on(afterupdate|(db)?click|help|key(up|down|press)|mouse(up|down|move|o(ut|ver))|(drag|select)start|r(owe(xit|nter)|eadystatechange))/iR";
pcre:"on(afterupdate|(db)?click|help|key(up|down|press)|mouse(up|down|move|o(ut|ver))|(drag|select)start|r(owe(xit|nter)|eadystatechange))/iR";
pcre:"on(afterupdate|(db)?click|help|key(up|down|press)|mouse(up|down|move|o(ut|ver))|(drag|select)start|r(owe(xit|nter)|eadystatechange))/iR";
pcre:"on(afterupdate|(db)?click|help|key(up|down|press)|mouse(up|down|move|o(ut|ver))|(drag|select)start|r(owe(xit|nter)|eadystatechange))/iR";
pcre:"on(afterupdate|(db)?click|help|key(up|down|press)|mouse(up|down|move|o(ut|ver))|(drag|select)start|r(owe(xit|nter)|eadystatechange))/iR";
pcre:"on(afterupdate|(db)?click|help|key(up|down|press)|mouse(up|down|move|o(ut|ver))|(drag|select)start|r(owe(xit|nter)|eadystatechange))/iR";
pcre:"on(afterupdate|(db)?click|help|key(up|down|press)|mouse(up|down|move|o(ut|ver))|(drag|select)start|r(owe(xit|nter)|eadystatechange))/iR";
reference:bugtraq,17131; sid:100000238; rev:1;)

NOTE: This rule is very performance intensive as the pcre is recursive
in nature and requires inspecting large HTML sessions.

For Bugtraq ID 17196:

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"COMMUNITY
WEB-CLIENT IE createTextRange overflow attempt";
flow:to_client,established; content:".createTextRange"; nocase;
classtype:attempted-user; reference:bugtraq,17196;
reference:cve,2006-1359; sid:100000239; rev:1;)

NOTE: This rule is a generic content match as the exploitation vectors
are too varied to be more specific.  This means the rule potentially has
a very high noise to signal ratio. Numerous commonly used web sites use
this function in a non-malicious manner and browsing these sites may
cause this rule to generate events. Care should be taken while analyzing
events generated from this rule.

These rules are available in the Community Ruleset at
http://www.snort.org/pub-bin/downloads.cgi#COMM.

Conclusion:

Effective detection of these web client vulnerabilities requires
extensive parsing of the HTML DOM tree for each and every web page
visited by a client. This detection is best handled by local system
software that can perform the inspection in the context of the browser.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (Darwin)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFEJKnkMpm0ve0NhMcRAierAKCCkD6WHNZEz2GilTotiRzvmldTfgCfVFWW
SCu9mRtQO5Np6CpzvojCDTk=
=BMor
-----END PGP SIGNATURE-----


-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Snort-sigs] IE Vulnerability Analysis and Detection, Sourcefire VRT <=
Previous by Date:  [Snort-sigs] Bleedingsnort.com Daily Update, bleeding
Next by Date:  [Snort-sigs] Sourcefire VRT Certified Rules Update, Sourcefire VRT
Previous by Thread:  [Snort-sigs] Update on Sourcefire Acquisition, Jennifer Steffens
Next by Thread:  [Snort-sigs] FP: sid: 469 - ICMP PING NMAP, jynx
Indexes:  [Date] [Thread] [Top] [All Lists]