Network Security: Detailed info on Re: [Snort-sigs] new rule for detect SQL Ingres uuid_from

Subject:	Re: [Snort-sigs] new rule for detect SQL Ingres uuid_from_char() overflow
Date:	Wed, 27 Jun 2007 00:23:02 +0200 (CEST)

Hi Matt,

1. Why 200 if the stack buffer for this is 100 bytes?


well, read ngssoftware advisory: "If uuid_from_char is passed a long string as 
its argument, a stack...",
if anyone have network traffic on ingres db ?

2. Why content:!")"; if an sql statement of this works
uuid_from_char( 'Ax100' )


I don't known if it is possible on this uuid_from_char()

Seems like the terminator would be ' and not )


Im search end line {)} (before return because sql), not "'" or '"'

3. Why do a dsize, a isdataat and a within that all check essentially the 
same thing?


yes, but dsize is more fast: check first big sql size, check second content and 
after isdataat

4. Since this function is only suppose to convert text uuid's to byte
uuids why not just whitelist valid uuid's.  IE the function only takes
"XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXX" and it must be formated like that.


good remark, but pcre is more slow than isdataat, maybe modified rules (v2) :
  alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 21064 (msg:"SQL Ingres 
uuid_from_char() overflow attempt";
  flow:to_server,established; dsize:>200; content:" uuid_from_char("; nocase;
  pcre:!"/ 
uuid_from_char\(\s*('|")\d{8}\-\d{4}\-\d{4}\-\d{4}\-\d{12}('|")\s*\)/i";
  reference:cve,2007-3338; reference:bugtraq,24585; classtype:attempted-user; 
sid:92036; rev:2;)

Best Regards
Rmkml

Cheers,
-matt

rmkml wrote:

Hi,

please check and maybe add this new rule :

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 21064 (msg:"SQL Ingres 
uuid_from_char() overflow attempt";

  flow:to_server,established; dsize:>200; content:" uuid_from_char("; nocase;
  isdataat:200,relative; content:!")"; within:200;
  reference:cve,2007-3338; classtype:attempted-user; sid:92036; rev:1;)


Any suggestions and improvements are welcome,

Credits:
Crusoe Researches
http://www.Crusoe-Researches.com
contact@Crusoe-Researches.com
=> Crusoe Researches have more than 2036 UNIQ 'snort' rules for Commercial 
Access
     (Contact me directly if you are interested)

Azwalaro French new nidps open source project
http://www.Crusoe-Researches.com/azwalaro/
azwalaro@Crusoe-Researches.com

Regards
Rmkml

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs


-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

<Prev in Thread]	Current Thread	[Next in Thread>
[Snort-sigs] new rule for detect, rmkml Re: [Snort-sigs] new rule for detect, Matthew Watchinski Re: [Snort-sigs] new rule for detect SQL Ingres uuid_from_char() overflow, rmkml <= Re: [Snort-sigs] new rule for detect SQL Ingres uuid_from_char() overflow, Matthew Watchinski

Previous by Date:	Re: [Snort-sigs] new rule for detect SQL Ingres uuid_from_char() overflow, Matthew Watchinski
Next by Date:	[Snort-sigs] Bleeding Edge Threats Daily Signature Changes, bleeding
Previous by Thread:	Re: [Snort-sigs] new rule for detect, Matthew Watchinski
Next by Thread:	Re: [Snort-sigs] new rule for detect SQL Ingres uuid_from_char() overflow, Matthew Watchinski
Indexes:	[Date] [Thread] [Top] [All Lists]

Re: [Snort-sigs] new rule for detect SQL Ingres uuid_from_char() overflo