VRT Advisories
« Previous 1 2 … 105 106 107 108 109 110 111 112 113 Next »
VRT Rules 2005-04-14
Sourcefire VRT Certified Rule Update
Date: 2005-04-14
Synopsis:
After continuing research into to the Microsoft Security Bulletin (MS05-019) released on Tuesday April 12 2005, the Sourcefire Vulnerability Research Team (VRT) has determined that existing rules and pre-processors will generate events if attempts are made to exploit the vulnerabilities outlined in the bulletin.
Details:
Spoofed Connection Request Vulnerability - CAN-2005-0688
A Denial of Service vulnerability exists in Microsoft Windows XP Service
Pack 2 and Windows Server 2003 hosts from a specially crafted TCP packet.
To exploit this DoS condition, an attacker sends a TCP SYN packet with the same source and destination IP address and port. This is known as a "Land Attack" and while it has been around for many years, most operating systems have addressed the vulnerability.
Networks that do ingress and egress filtering correctly will not allow a spoofed packet inbound that has an identical source and destination IP address.
TCP Connection Reset Vulnerability - CAN-2004-0230
A denial of service vulnerability exists in Microsoft hosts that may
permit an existing TCP connection to be reset.
Many TCP services such as BGP require a persistent TCP connection. A vulnerability in the core implementation of TCP may make it possible for an attacker to reset a number of connections and cause a Denial of Service (DoS) to occur.
The attack is possible because the listening service will accept a TCP sequence number within a range of what is expected in an established session. Since BGP and other services rely on an established TCP session state, guessing a suitable sequence number to reset connections is feasible.
IP Validation Vulnerability - CAN-2005-0048
A denial of service vulnerability exists in Microsoft Windows Windows
98, 98 SE, ME, Windows 2000 and Windows XP Service Pack 1 hosts that
may cause a denial of service or possibly result in execution of
arbitrary code on a vulnerable host.
The operating systems above fail to properly validate improperly formatted multi-byte IP options. These options have a standard format of IP option code, IP option length, and IP option data.
The failure to drop a malformed IP option causes the operating system to misinterpret the data that follows. This can cause memory access violations that halt the kernel and cause a DoS condition to occur. Successful exploitation of this issue may allow an attacker to execute code of their choosing on an affected host.
Detection:
Spoofed Connection Request Vulnerability - CAN-2005-0688
A Land attack will be detected by the Snort rule with sid 527 and a message
of "BAD-TRAFFIC same SRC/DST".
TCP Connection Reset Vulnerability - CAN-2004-0230
A BGP reset attack will be detected by the signature with sid 2523 and a
message of "DOS BGP spoofed connection reset attempt". While other TCP services
may be vulnerable, they often do not maintain a persistent state or a period
of inactivity where the TCP sequence number does not change. This makes it more
difficult to reset the connection.
IP Validation Vulnerability - CAN-2005-0048
The Snort decoder recognizes the presence of truncated IP options.
The event will appear in Snort logs as:
[**] [116:5:1] (snort_decoder): Truncated Ipv4 Options [**]
References:
Microsoft Security Bulletin MS05-019
http://www.microsoft.com/technet/security/Bulletin/ms05-019.mspx
About the VRT:
The Sourcefire VRT is a group of leading edge intrusion detection and prevention experts working to proactively discover, assess and respond to the latest trends in hacking activity, intrusion attempts and vulnerabilities. This team is also supported by the vast resources of the open source Snort community, making it the largest group dedicated to advances in network security industry.
Posted by on Apr 14, 2005
VRT Rules 2005-04-12
Sourcefire VRT Certified Rule Update
Date: 2005-04-12
Synopsis:
The Sourcefire Vulnerability Research Team (VRT) has learned of serious vulnerabilities affecting Microsoft Internet Explorer and the Microsoft Windows operating system.
Details:
Dynamic HTML extends static HTML pages to allow interactive web pages to be easily created. A flaw in the Microsoft Internet Explorer DHTML Engine may allow an attacker to exploit a race condition and possibly execute code of their choosing on the victim host with the privileges of the user running Internet Explorer.
Internet Explorer allows various DHTML objects to be used via Javascript. Poor memory management in the object handling code of Internet Explorer may allow an attacker to overwrite portions of memory and execute code of their choosing on a vulnerable host.
Rules to detect attacks against this vulnerability are included in this rule pack and are identified as sids 3549 and 3553.
A programming error in Microsoft Internet Explorer may allow an attacker to execute code of their choosing on a vulnerable host. Specifically, the error lies in the handling of hostnames longer than 256 characters. When IE tries to process a hostname of this length or longer, the process may crash or cause the application to become unstable, presenting the attacker with an opportunity to execute code of their choosing on an affected system.
A Rule to detect attacks against this vulnerability is included in this rule pack and is identified as sid 3550.
Microsoft Windows has design errors that may enable an attacker to execute code of their choosing on a vulnerable system. Specifically, it is possible to execute code from objects not marked as executable.
Microsoft OLE2 allows objects to be executed by integrating applications. The Class ID (CLSID) of an object allows objects to be loaded by multiple applications. This CLSID is embedded in the object and may be manipulated by an attacker to force an application into executing code of the attackers choosing.
Specifically, the CLSID can be made to point at the Microsoft HTML Application Host (MSHTA). MSHTA.EXE will process each line of a file and execute any script code it finds.
Rules to detect attacks against this vulnerability are included in this rule pack and are identified as sids 3551 and 3552.
Rule Pack Summary:
For a complete list of new and modified rules, click here.
Warning:
Sourcefire VRT rule packs often utilize enhancements made to Snort. Operators should upgrade to the latest revision or patch level for Snort to ensure these enhancements are available before using these rules.
About the VRT:
The Sourcefire VRT is a group of leading edge intrusion detection and prevention experts working to proactively discover, assess and respond to the latest trends in hacking activity, intrusion attempts and vulnerabilities. This team is also supported by the vast resources of the open source Snort community, making it the largest group dedicated to advances in network security industry.
Posted by on Apr 12, 2005
VRT Rules 2005-04-05
Sourcefire VRT Certified Rule Update
Date: 2005-04-05
Synopsis:
The Sourcefire Vulnerability Research Team (VRT) has learned of serious vulnerabilities affecting various implementations of Telnet.
Details:
The Telnet protocol can be used to remotely connect machines over a networked connection. A telnet client and server can negotiate various options such as the character set to be used in the communication exchange. Various environment variables can also be set by issuing commands from the client.
Programming errors in the telnet client code from various vendors may present an attacker with the opportunity to overflow a fixed length buffer.
Rules to detect attacks against this vulnerability are included in this rule pack and are identified as sids 3533 and 3537.
Rule Pack Summary:
For a complete list of new and modified rules, click here.
Warning:
Sourcefire VRT rule packs often utilize enhancements made to Snort. Operators should upgrade to the latest revision or patch level for Snort to ensure these enhancements are available before using these rules.
About the VRT:
The Sourcefire VRT is a group of leading edge intrusion detection and prevention experts working to proactively discover, assess and respond to the latest trends in hacking activity, intrusion attempts and vulnerabilities. This team is also supported by the vast resources of the open source Snort community, making it the largest group dedicated to advances in network security industry.
Posted by on Apr 05, 2005
VRT Rules 2005-03-28
Sourcefire VRT Certified Rule Update
Date: 2005-03-28
Synopsis:
The Sourcefire Vulnerability Research Team (VRT) has learned of serious vulnerabilities affecting MySQL. In addition, the VRT has leveraged new detection engine capabilities to provide coverage for an FTP port bounce attack.
The VRT has also added rules and improved detection capabilities as a result of ongoing research into serious vulnerabilities affecting Computer Associates License Server, BrightStor ARCserver and Oracle database servers.
Details:
A vulnerability exists in MySQL's handling of the CREATE FUNCTION command, possibly allowing an authenticated user with INSERT and DELETE privileges for the administrative databases to execute arbitrary code.
A rule to detect attacks against this vulnerability is included in this rule pack and is identified as sid 3528.
The PORT command can be used in an FTP PORT bounce attack to establish a connection between the FTP server and another machine listening on an alternative port. This may lead to unauthorized access to a target host listening on a port not available from outside the protected network.
A rule to detect attacks against this vulnerability is included in this rule pack and is identified as sid 3441.
Computer Associates License software allows a site to maintain and handle licenses for CA products. A server runs the software to facilitate this and it communicates with clients/agents on the network. A vulnerability exists in some GCR messages that exchange data with a listening server or client.
Rules to detect attacks against this vulnerability are included in this rule pack and are identified as sids 3524, 3525 and 3529.
A vulnerability exists in the way that the BrightStor ARCserve discovery service processes client messages. Client product information messages and client slot information messages that contain an overly long client name or client domain value can cause a buffer overflow.
Rules to detect attacks against this vulnerability are included in this rule pack and are identified as sids 3530 and 3531.
The Oracle XDB UNLOCK command is vulnerable to a buffer overflow attack. A fixed size buffer is allocated for a parameter associated with the command. A user-supplied parameter value that is longer than the allocated buffer can cause a buffer overflow and allow the subsequent execution of arbitrary commands on a vulnerable server.
A rule to detect attacks against this vulnerability is included in this rule pack and is identified as sid 3526.
Rule Pack Summary:
For a complete list of new and modified rules, click here.
Warning:
Sourcefire VRT rule packs often utilize enhancements made to Snort. Operators should upgrade to the latest revision or patch level for Snort to ensure these enhancements are available before using these rules.
About the VRT:
The Sourcefire VRT is a group of leading edge intrusion detection and prevention experts working to proactively discover, assess and respond to the latest trends in hacking activity, intrusion attempts and vulnerabilities. This team is also supported by the vast resources of the open source Snort community, making it the largest group dedicated to advances in network security industry.
Posted by on Mar 28, 2005
VRT Rules 2005-03-16
Sourcefire VRT Certified Rule Update
Date: 2005-03-16
Synopsis:
The Sourcefire Vulnerability Research Team (VRT) has learned of serious vulnerabilities affecting Oracle database servers, Computer Associates License server and MySQL MaxDB WebSQL service.
Details
Oracle UTL_FILE commands allow a user to read, write, copy, or delete files in locations and directories authorized to the user. However, sufficient checks are not performed to ensure that the user does not attempt to employ a directory traversal technique to manipulate files outside the authorized directories.
Rules to detect attacks against this vulnerability are included in this rule pack and are identified as sids 3512 through 3516.
Computer Associates License software allows a site to maintain and handle licenses for CA products. A server runs the software to facilitate this and it communicates with clients/agents on the network. A programming error may present an attacker with the opportunity to overflow a static buffer and possibly execute code of their choosing on the affected host.
Rules to detect attacks against this vulnerability are included in this rule pack and are identified as sids 3520 through 3522 and 3517.
The MySQL MaxDB WebSQL service suffers from a programming error that may allow an attacker to overflow a static buffer by supplying excess data in the parameter to the password value. The attacker may then be able to execute code of their choosing on the affected host.
Rules to detect attacks against this vulnerability are included in this rule pack and are identified as sids 3518 and 3519.
Rule Pack Summary
For a complete list of new and modified rules, click here.
Warning:
Sourcefire VRT rule packs often utilize enhancements made to Snort. Operators should upgrade to the latest revision or patch level for Snort to ensure these enhancements are available before using these rules.
About the Sourcefire Vulnerability Research Team
The Sourcefire VRT is a group of leading edge intrusion detection and prevention experts working to proactively discover, assess and respond to the latest trends in hacking activity, intrusion attempts and vulnerabilities. This team is also supported by the vast resources of the open source Snort community, making it the largest group dedicated to advances in network security industry.
Posted by on Mar 16, 2005
