VRT Advisories
« Previous 1 2 … 105 106 107 108 109 110 111 112 113 Next »
VRT Rules 2005-03-09
Sourcefire VRT Certified Rule Update
Date: 2005-03-09
Synopsis:
The Sourcefire Vulnerability Research Team (VRT) has learned of serious vulnerabilities affecting Computer Associates BrightStor ARCserver.
The VRT has also added rules and improved detection capabilities of existing rules as a result of ongoing research into vulnerabilities with Microsoft applications using SSL.
Details
A vulnerability exists in the way that the BrightStor ARCserver discovery service processes client messages. Client product information messages and client slot information messages that contain an overly long client name or client domain value can cause a buffer overflow.
Rules to detect attacks against this vulnerability are included in this rule pack and are identified as sids 3474 through 3485.
Poor error handling routines in the Microsoft Secure Sockets Layer (SSL) library, specifically in the handling of SSL Version 2 requests, present opportunites to cause a DoS condition in various software implementations used on Microsoft operating systems.
Rules to detect attacks against this vulnerability are included in this rule pack and are identified as sids 3486 through 3511.
Rule Pack Summary
For a complete list of new and modified rules, click here.
Rules:
VRT Certified Rule Updates are available to users in the following ways:
- Subscribers will receive rulesets in real-time as they are released to Sourcefire customers - 5 days ahead of Registered users
- Registered users will receive rulesets when they are published
- Unregistered users will receive access to a static ruleset containing only the latest rules at the time of each Snort point release.
About the Sourcefire Vulnerability Research Team
The Sourcefire Vulnerability Research Team (VRT) is a group of leading edge intrusion detection and prevention experts working to discover, assess and respond to the latest trends in hacking activity, intrusion attempts and vulnerabilities. This team is also supported by the vast resources of the open source Snort community, making it the largest group dedicated to advances in network security industry.
Posted by on Mar 09, 2005
Snort_update_20051018
Snort Back Orifice Vulnerability
Date: 2005-10-18
The Sourcefire Vulnerability Research Team (VRT) has learned of a vulnerability in Snort v2.4.0 - 2.4.2. Users are only vulnerable if the Back Orifice preprocessor is enabled. Snort v2.4.3 has been released to correct the issue. In addition, detailed instructions for mitigating the issue by disabling the Back Orifice preprocessor are included below.
Snort v2.4.3:
In addition to fixing the vulnerability, this version includes a mechanism to detect exploits against vulnerable sensors and, optionally for inline sensors, drop the offending traffic. These features enables a phased approach to upgrading while protecting unpatched sensors. Detection capabilities are part of the new preprocessor and therefore are available to all users regardless of subscription status.
In addition to the source tarball, postgres, mysql and plain RPMs and a win32 installer are available here. Please remember that updated rules are only included in major releases. Click here for updated rules.
Mitigation Instructions:
The Back Orifice preprocessor can be disabled by commenting out the line "preprocessor bo" in snort.conf. This can be done in any text editor using the following procedure:
- Locate the line "preprocessor bo"
- Comment out this line by preceding it with a hash (#). The new line will look like "#preprocessor bo"
- Save the file
- Restart snort
Background:
On Thursday, October 13th Sourcefire was contacted by USCERT with news of a vulnerability in Snort. We used the subsequent days to verify the vulnerability and to prepare mitigation strategies and the software updates necessary to fix the vulnerability for both Sourcefire customers and Snort users. While it cannot be said that no other problems will ever be found in the Snort code base, we can state that we will redouble our efforts to ensure the security of the system so many people have come to rely on for the detection of network-based threats. Sourcefire will also continue to work with the most sophisticated testing facilities in the industry to assure that every reasonable step is being taken to provide the most secure code base possible.
Technical Details:
The Back Orifice preprocessor contains a stack-based buffer overflow. This vulnerability could be leveraged by an attacker to execute code remotely on a Snort sensor where the Back Orifice preprocessor is enabled. However, there are a number of factors that make remote code execution difficult to achieve across different builds of Snort on different platforms, even on the same platform with different compiler versions, and it is more likely that an attacker could use the vulnerability as a denial of service attack.
If you have any questions, please contact the snort team.
Posted by on Jan 01, 2005
Advisory
This release adds and modifies rules in several categories.
view advisory | view changelogPosted by on Jan 01, 2000
MS Archive
VRT Certified Rule To Microsoft Advisory Map Archive Index
VRT Home » Microsoft Archive Index
|
Posted by on Jan 01, 2000
Ie Issue Js V2
The Sourcefire Vulnerability Research Team (VRT) has learned of two vulnerabilities in Microsoft Internet Explorer that have been released and currently remain unpatched. The following analysis provides detailed analysis from VRT testing as well as suggested rules to detect recent exploits. Vulnerability Overview: 1. Bugtraq ID 17131 - Microsoft Internet Explorer Script Action Handler Buffer Overflow Vulnerability 2. Bugtraq ID 17196 - Microsoft Internet Explorer CreateTextRange Remote Code Execution Vulnerability VRT Analysis: The VRT has conducted extensive research into how these vulnerabilities work and how to detect the current exploits that have been released. These rules may also detect future variants. Currently our research into Bugtraq 17131 shows that roughly 100 of these action handlers are required in a single tag to trigger the vulnerability. It can be any combination of these action handlers as long as it is roughly 100 of them in the same tag. Additionally, research into Bugtraq 17196 shows that this vulnerability is triggered by the use of the createTextRange function in an inappropriate object or HTML tag that will be parsed by Internet Explorer. This vulnerability relies solely on the usage of this function in conjunction with objects that do not support it. Detection: The nature of these vulnerabilities is such that the generic vulnerability detection required for VRT Certified Rules is not practical, however, the VRT has released the following rules to the Community ruleset as well as explanations of the limitations of each. For Bugtraq ID 17131: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"COMMUNITY WEB-CLIENT Internet Explorer intrinsic event heap overflow attempt"; flow:established; content:"on"; nocase; pcre:"on(afterupdate|(db)?click|help|key(up|down|press)|mouse(up|down|move|o(ut|ver))|(drag|select)start|r(owe(xit|nter)|eadystatechange))/iR"; pcre:"on(afterupdate|(db)?click|help|key(up|down|press)|mouse(up|down|move|o(ut|ver))|(drag|select)start|r(owe(xit|nter)|eadystatechange))/iR"; pcre:"on(afterupdate|(db)?click|help|key(up|down|press)|mouse(up|down|move|o(ut|ver))|(drag|select)start|r(owe(xit|nter)|eadystatechange))/iR"; pcre:"on(afterupdate|(db)?click|help|key(up|down|press)|mouse(up|down|move|o(ut|ver))|(drag|select)start|r(owe(xit|nter)|eadystatechange))/iR"; pcre:"on(afterupdate|(db)?click|help|key(up|down|press)|mouse(up|down|move|o(ut|ver))|(drag|select)start|r(owe(xit|nter)|eadystatechange))/iR"; pcre:"on(afterupdate|(db)?click|help|key(up|down|press)|mouse(up|down|move|o(ut|ver))|(drag|select)start|r(owe(xit|nter)|eadystatechange))/iR"; pcre:"on(afterupdate|(db)?click|help|key(up|down|press)|mouse(up|down|move|o(ut|ver))|(drag|select)start|r(owe(xit|nter)|eadystatechange))/iR"; pcre:"on(afterupdate|(db)?click|help|key(up|down|press)|mouse(up|down|move|o(ut|ver))|(drag|select)start|r(owe(xit|nter)|eadystatechange))/iR"; pcre:"on(afterupdate|(db)?click|help|key(up|down|press)|mouse(up|down|move|o(ut|ver))|(drag|select)start|r(owe(xit|nter)|eadystatechange))/iR"; pcre:"on(afterupdate|(db)?click|help|key(up|down|press)|mouse(up|down|move|o(ut|ver))|(drag|select)start|r(owe(xit|nter)|eadystatechange))/iR"; pcre:"on(afterupdate|(db)?click|help|key(up|down|press)|mouse(up|down|move|o(ut|ver))|(drag|select)start|r(owe(xit|nter)|eadystatechange))/iR"; reference:bugtraq,17131; sid:100000238; rev:1;) NOTE: This rule is very performance intensive as the pcre is recursive in nature and requires inspecting large HTML sessions. For Bugtraq ID 17196: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"COMMUNITY WEB-CLIENT IE createTextRange overflow attempt"; flow:to_client,established; content:".createTextRange"; nocase; classtype:attempted-user; reference:bugtraq,17196; reference:cve,2006-1359; sid:100000239; rev:1;) NOTE: This rule is a generic content match as the exploitation vectors are too varied to be more specific. This means the rule potentially has a very high noise to signal ratio. Numerous commonly used web sites use this function in a non-malicious manner and browsing these sites may cause this rule to generate events. Care should be taken while analyzing events generated from this rule. These rules are available in the Community Ruleset at http://www.snort.org/pub-bin/downloads.cgi#COMM. Conclusion: Effective detection of these web client vulnerabilities requires extensive parsing of the HTML DOM tree for each and every web page visited by a client. This detection is best handled by local system software that can perform the inspection in the context of the browser.Posted by on Jan 01, 2000
