On 21/06/07, Julio <jferdinand@uacosendai.net> wrote:
Hi All,
My question is based on the latest security bulletin released by Microsoft
and snort rules
http://www.microsoft.com/technet/security/Bulletin/MS07-031.mspx
I am trying to create a rule based on the
Vulnerability in the Windows Schannel Security Package Could Allow Remote
Code Execution (935840)
<snip>
I have few problems putting together the rules content
Here is a demo of bindiff run against the patch courtesy of Sabre
Security: http://www.sabre-security.com/files/schannel.swf
Presumably you'll need some way - such as the above, or observing such
an attack in the wild - to find out exactly how the bug can be
triggered. "Schannel performs insufficient checks for specially
crafted server-sent digital signatures during the SSL handshake." -
but I don't know in what way these signatures are malformed.
One thing to do is not limit it to port 443, because you could in
theory exploit it over any port (e.g.
http://evil.com:3141/ms07-031-exploit.html )
cheers,
Jamie
--
Jamie Riden, CISSP / jamesr@europe.com / jamie@honeynet.org.uk
UK Honeynet Project: http://www.ukhoneynet.org/
-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
