Re: [Snort-sigs] content - security bulletin

You might want to look at the following writeup for how this
vulnerability works.

http://www.securityfocus.com/archive/1/471203

You going to need a bit more than a content match to pick this one up.

Once you read the analysis and disassembly you'll need to develop some
PoC code for the vulnerability so you know you are hitting the right
problem.  You'll need to test against both unpatched and patched
versions to make sure you didn't trigger something other than this
vulnerability.

After you have your exploit nailed down and all the necessary conditions
that have to be in place then you can begin writing the rule.

The first thing you'll need to do is go over all the flowbit decoding
rules in the web-misc category that deal with locating specific sections
of the SSL handshake.  Then you'll need to write some
byte_test/byte_jump logic to get to the correct section of the SSL
header, then you'll need to test for the triggering conditions of the
vulnerability that you found above.

Cheers,

-matt

Julio wrote:
> Hi Jamie, Hi Matthew,
>
> After investigation, here are the elements that I have to build the rule
>
> Source ip: any
>
> Port: 443, 261, 587, 465, 993, 995 (these are the common port I found to be
> used with ssl and 
>
> Option: TCP
>
> Msg: "anything like attempt to remote execution" 
>
> Now for the content: Schannel performs insufficient checks for specially
> crafted server-sent digital signatures during the SSL handshake." 
> Also, the attacker can take control of the remote system 
>
> My problem is here, what will I put into the content=â??????â
>
>
>
> Thanks,
> Jules
>
> Ps: I have problem sending to the list, sorry I am sending it here. I am not
> sure what's wrong. 
>
>
>
> -----Message d'origine-----
> De : Matthew Watchinski [mailto:mwatchinski@sourcefire.com] 
> Envoyà : 22 June 2007 15:22
> Ã : Julio
> Cc : snort-sigs@lists.sourceforge.net
> Objet : Re: [Snort-sigs] content - security bulletin
>
> What kind of guidance are you looking for?
>
> -matt
>
> Julio wrote:
> > Hi All,
> >
> >  
> >
> > My question is based on the latest security bulletin released by Microsoft
> > and snort rules
> >
> >  
> >
> > http://www.microsoft.com/technet/security/Bulletin/MS07-031.mspx 
> >
> >  
> >
> > I am trying to create a rule based on the 
> >
> >  
> >
> > Vulnerability in the Windows Schannel Security Package Could Allow Remote
> > Code Execution (935840)
> >
> > Published: June 12, 2007
> >
> >  
> >
> > I have few problems putting together the rules content 
> >
> >  
> >
> > Can someone give me some guidance 
> >
> >  
> >
> > Thanks,
> >
> > Julio
> >
> >  
> >
> >  
> >
> >
> >
> >
> > ------------------------------------------------------------------------
> >
> > -------------------------------------------------------------------------
> > This SF.net email is sponsored by DB2 Express
> > Download DB2 Express C - the FREE version of DB2 express and take
> > control of your XML. No limits. Just data. Click to get it now.
> > http://sourceforge.net/powerbar/db2/
> >
> >
> > ------------------------------------------------------------------------
> >
> > _______________________________________________
> > Snort-sigs mailing list
> > Snort-sigs@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/snort-sigs


-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs