VRT Advisories

1 2 122 123 124 126 128 129 130 131 132


VRT Rules 2005-11-22

Sourcefire VRT Advisory

Date: 2005-11-22

Synopsis:

The Sourcefire Vulnerability Research Team (VRT) has learned of the release of proof of concept code that demonstrates the ability to execute code via a vulnerability in the way that Internet Explorer handles a Javascript event.

The Sourcefire VRT has confirmed that a rule identified as sid 4647, released on November 9, 2005, will generate events when an attempt is made to exploit this vulnerability, including the use of the proof of concept code.

Details:

A vulnerability exists in the way Internet Explorer handles the window() function supplied to the javascript "onload" handler as a parameter. The conditions for exploitation occur when a page is opened in the browser that uses <body onload=window();>.

Detection:

Sourcefire rule packs released on November 9, 2005 contained sid 4647 that will generate events when an attempt is made to exploit this vulnerability, including the use of the proof of concept code.

Note: Sid 4647 is NOT enabled by default. Should detection for this vulnerability be needed, this rule should be enabled.

Additional References:

Microsoft Security Advisory (911302)
http://www.microsoft.com/technet/security/advisory/911302.mspx

About the VRT:

The Sourcefire VRT is a group of leading edge intrusion detection and prevention experts working to proactively discover, assess and respond to the latest trends in hacking activity, intrusion attempts and vulnerabilities. This team is also supported by the vast resources of the open source Snort community, making it the largest group dedicated to advances in network security industry.

Posted by on Nov 22, 2005



VRT Rules 2005-11-17

Sourcefire VRT Certified Rules Advisory

Date: 2005-11-17


Synopsis:

The Sourcefire Vulnerability Research Team (VRT) has learned of a vulnerability in the Microsoft implementation of RPC (MSRPC) that may allow an attacker to perform a Denial of Service (DoS) attack on an affected platform.

The Sourcefire VRT has confirmed that a rule identified as sid 4324, released on October 12, 2005, will generate events when an attempt is made to exploit this vulnerability via the UPnP service.

Details:

A vulnerability exists in the Microsoft RPC system that may present a remote attacker with the opportunity to cause a DoS condition on an affected host.

The condition is manifest when a malformed request is made to the UPnP service in the data section of a call to the GetDeviceList function. On processing this request, memory consumption increases to the point where the system becomes unresponsive, repeated requests of this nature will cause the DoS to occur.

Detection: Sourcefire SEU 5 and rule packs 30 and 40 released on October 12, 2005 contained sid 4324 that will generate events when an attempt is made to cause the DoS via the UPnP service.

Additional References:


Microsoft:
http://www.microsoft.com/technet/security/advisory/911052.mspx

Warning:

Sourcefire VRT rule packs often utilize enhancements made to Snort. Operators should upgrade to the latest revision or patch level for Snort to ensure these enhancements are available before using these rules.

About the VRT:

The Sourcefire VRT is a group of leading edge intrusion detection and prevention experts working to proactively discover, assess and respond to the latest trends in hacking activity, intrusion attempts and vulnerabilities. This team is also supported by the vast resources of the open source Snort community, making it the largest group dedicated to advances in network security industry.

Posted by on Nov 17, 2005



VRT Rules 2005-11-09

Sourcefire VRT Certified Rules Update

Date: 2005-11-09

Synopsis:

The Sourcefire Vulnerability Research Team (VRT) has learned of vulnerabilities affecting the Microsoft Windows shell environment, Oracle, Samba and Macromedia Flash. The Sourcefire VRT has also enhanced detection for a number of rules issued in previous rule pack releases.

Details:

A vulnerability in the way that the Windows shell handles the file properties of a shortcut file may allow an attacker to overflow a fixed length buffer and execute code of their choosing on the target system.

Rules to detect attempts to exploit this vulnerability are included in this rule pack and are identified as sids 4643 and 4644.

A vulnerability exists in the Oracle Enterprise Manager Application Server Control application. This application does not properly check the length of user supplied data in parameters sent to the listening service. An attacker may be able to overflow a fixed length buffer and execute code of their choosing on an affected system.

Rules to detect attempts to exploit this vulnerability are included in this rule pack and are identified as sids 4642, 4646 and 4677.

A vulnerability in Samba exists due to a programming error which may present an attacker with the opportunity to exploit the service and run code of their choosing on an affected system. The attacker may also cause a DoS condition in the service or possibly gain unauthorized access to the target host.

Rules to detect attempts to exploit this vulnerability are included in this rule pack and are identified as sids 4651 through 4674.

A programming error in certain versions of the Macromedia Flash Player may allow an attacker to run code of their choosing on a victim host. The Player does not perform stringent bounds checking when processing flash movies, which may permit an attacker to include code of their choosing into a malicious flash format file.

A rule to detect attempts to exploit this vulnerability is included in this rule pack and is identified as sid 4675.

Rule Pack Summary:

For a complete list of new and modified rules, click here.

Warning:

Sourcefire VRT rule packs often utilize enhancements made to Snort. Operators should upgrade to the latest revision or patch level for Snort to ensure these enhancements are available before using these rules.

About the VRT:

The Sourcefire VRT is a group of leading edge intrusion detection and prevention experts working to proactively discover, assess and respond to the latest trends in hacking activity, intrusion attempts and vulnerabilities. This team is also supported by the vast resources of the open source Snort community, making it the largest group dedicated to advances in network security industry.

Posted by on Nov 09, 2005



VRT Rules 2005-11-08

Sourcefire VRT Certified Rules Update

Date: 2005-11-08

Synopsis:

The Sourcefire Vulnerability Research Team (VRT) has learned of a worm traversing the Internet that targets known vulnerabilities in certain PHP and CGI scripts. The worm, known as Lupper or Plupii, makes requests on port 80 for various scripts such as xmlrpc.php and awstats.pl.

The Sourcefire VRT has confirmed that a rule identified as sid 3827, released on July 22, 2005, will generate events when this worm tries to exploit the vulnerability in the PHP XML-RPC module. The Sourcefire VRT has also confirmed that a rule identified as sid 3813, released on June 30, 2005, will generate events when the worm tries to use the awstats vulnerability as an attack vector.

Details:

Analysis of the worm indicates that it attempts to exploit a weakness in the PHP XML-RPC module by making a malicious POST request to the xmlrpc.php script used by some PHP based applications. The worm may also try to exploit a weakness in the awstats application that can allow command execution on an affected host.

Successful exploitation results in the worm downloading a Trojan Horse program named lupii, that opens either port 7111 or 7222 to establish a UDP based control channel. The infected host then starts to perform a scan to detect other potential victims at random IP addresses. Once a host is identified, the worm then attempts to spread using the attack vectors outlined above.

Warning:

Sourcefire VRT rule packs often utilize enhancements made to Snort. Operators should upgrade to the latest revision or patch level for Snort to ensure these enhancements are available before using these rules.

About the VRT:

The Sourcefire VRT is a group of leading edge intrusion detection and prevention experts working to proactively discover, assess and respond to the latest trends in hacking activity, intrusion attempts and vulnerabilities. This team is also supported by the vast resources of the open source Snort community, making it the largest group dedicated to advances in network security industry.

Posted by on Nov 08, 2005



VRT Rules 2005-10-25

Sourcefire VRT Certified Rules Update

Date: 2005-10-25

Synopsis:

The Sourcefire Vulnerability Research Team (VRT) has learned of multiple vulnerabilities affecting hosts using the Microsoft operating system.

Details:

Microsoft Security Bulletin MS05-046:

A vulnerability in the implementation of the Client Service for Netware exists due to a programming error which may present an attacker with the opportunity to exploit the service and run code of their choosing on an affected system.

Rules to detect exploits aimed at this vulnerability are included in this rule pack and are identified as sids 4509 through 4636.

Microsoft Security Bulletin MS05-043:

A vulnerability in the implementation of the Print Spooler Service on Microsoft Windows systems exists due to a programming error which may present an attacker with the opportunity to exploit the service and run code of their choosing on an affected system.

Rules to detect exploits against this vulnerability are included in this rule pack and are identified as sids 4381 through 4508.

Rule Pack Summary:

For a complete list of new and modified rules, click here.

Warning:

Sourcefire VRT rule packs often utilize enhancements made to Snort. Operators should upgrade to the latest revision or patch level for Snort to ensure these enhancements are available before using these rules.

About the VRT:

The Sourcefire VRT is a group of leading edge intrusion detection and prevention experts working to proactively discover, assess and respond to the latest trends in hacking activity, intrusion attempts and vulnerabilities. This team is also supported by the vast resources of the open source Snort community, making it the largest group dedicated to advances in network security industry.

Posted by on Oct 25, 2005



1 2 122 123 124 126 128 129 130 131 132