« Back
April 2005 Archive
Sourcefire VRT Certified Rules Update
Date: 2005-04-20
Synopsis:
After continuing research into to the Microsoft Security Bulletin
(MS05-021) released on Tuesday April 12 2005, the Sourcefire
Vulnerability Research Team (VRT) has released a new rule to detect
possible attempts to exploit a vulnerability associated with an extended
verb request in Microsoft Exchange servers. The Sourcefire VRT has
received reliable reports that a worm that uses this vulnerablity to
propogate is being developed.
Details:
Microsoft Exchange Servers are able to use extensions to the SMTP
protocol to help communicate between Exchange servers. The
"X-Link2State" verb is used to share routing information between
Exchange servers.
A buffer overflow condition in the processing of this command may
present an attacker with the opportunity to execute code of their
choosing on an affected host.
A rule to detect attacks against this vulnerability is included in this
rule pack and is identified as sid 3627.
Warning:
This rule will generate false positive events on normal traffic
between Exchange servers. If these extensions are implemented in a
network where Exchange servers are used, administrators should configure
this rule as appropriate for their environment.
Rule Pack Summary:
For a complete list of new and modified rules,
click here.
Warning:
Sourcefire VRT rule packs often utilize enhancements made to Snort. Operators should
upgrade to the latest revision or patch level for Snort to ensure these enhancements are
available before using these rules.
About the VRT:
The Sourcefire VRT is a group of leading edge intrusion detection and
prevention experts working to proactively discover, assess and respond
to the latest trends in hacking activity, intrusion attempts and
vulnerabilities. This team is also supported by the vast resources of
the open source Snort community, making it the largest group dedicated
to advances in network security industry.
Posted by on Apr 20, 2005
Sourcefire VRT Certified Rule Update
Date: 2005-04-18
Synopsis:
After continuing research into to the Microsoft Security Bulletin
(MS05-017) released on Tuesday April 12 2005, the Sourcefire
Vulnerability Research Team (VRT) has released a number of new rules to
detect possible attempts to exploit the vulnerability.
Additionally a rule to detect attempts to cause a Denial of Service
using spoofed ICMP messages is also included in this rule pack.
Details:
Microsoft Message Queuing (MSMQ) enables messages to be queued for
delivery at opportune times. Applications can query the message queue as
they come online or at scheduled times.
A programming error in the MSMQ subsystem may present an attacker with
the opportunity to overflow a fixed length buffer and execute code of
their choosing on an affected host.
Rules to detect attacks against this vulnerability are included in this
rule pack and are identified as sids 3554 through 3625.
The ICMP path MTU message informs a host that the packet size it has
sent must be fragmented and will be dropped unless it is reduced to the
designated MTU. It may be possible for an attacker to send a spoofed
ICMP path MTU message to a host causing it to send very small packets.
This may then result in the host experiencing a Denial of Service (DoS).
A rule to detect attacks against this vulnerability is included in this
rule pack and is identified as sid 3626.
Rule Pack Summary:
For a complete list of new and modified rules,
click here.
Warning:
Sourcefire VRT rule packs often utilize enhancements made to Snort. Operators should
upgrade to the latest revision or patch level for Snort to ensure these enhancements are
available before using these rules.
About the VRT:
The Sourcefire VRT is a group of leading edge intrusion detection and
prevention experts working to proactively discover, assess and respond
to the latest trends in hacking activity, intrusion attempts and
vulnerabilities. This team is also supported by the vast resources of
the open source Snort community, making it the largest group dedicated
to advances in network security industry.
Posted by on Apr 18, 2005
Sourcefire VRT Certified Rule Update
Date: 2005-04-14
Synopsis:
After continuing research into to the Microsoft Security Bulletin
(MS05-019) released on Tuesday April 12 2005, the Sourcefire
Vulnerability Research Team (VRT) has determined that existing rules and
pre-processors will generate events if attempts are made to exploit the
vulnerabilities outlined in the bulletin.
Details:
Spoofed Connection Request Vulnerability - CAN-2005-0688
A Denial of Service vulnerability exists in Microsoft Windows XP Service
Pack 2 and Windows Server 2003 hosts from a specially crafted TCP packet.
To exploit this DoS condition, an attacker sends a TCP SYN packet with
the same source and destination IP address and port. This is known as a
"Land Attack" and while it has been around for many years, most
operating systems have addressed the vulnerability.
Networks that do ingress and egress filtering correctly will not allow a
spoofed packet inbound that has an identical source and destination IP
address.
TCP Connection Reset Vulnerability - CAN-2004-0230
A denial of service vulnerability exists in Microsoft hosts that may
permit an existing TCP connection to be reset.
Many TCP services such as BGP require a persistent TCP connection. A
vulnerability in the core implementation of TCP may make it possible for
an attacker to reset a number of connections and cause a Denial of
Service (DoS) to occur.
The attack is possible because the listening service will accept a TCP
sequence number within a range of what is expected in an established
session. Since BGP and other services rely on an established TCP session
state, guessing a suitable sequence number to reset connections is feasible.
IP Validation Vulnerability - CAN-2005-0048
A denial of service vulnerability exists in Microsoft Windows Windows
98, 98 SE, ME, Windows 2000 and Windows XP Service Pack 1 hosts that
may cause a denial of service or possibly result in execution of
arbitrary code on a vulnerable host.
The operating systems above fail to properly validate improperly
formatted multi-byte IP options. These options have a standard format of
IP option code, IP option length, and IP option data.
The failure to drop a malformed IP option causes the operating system to
misinterpret the data that follows. This can cause memory access
violations that halt the kernel and cause a DoS condition to occur.
Successful exploitation of this issue may allow an attacker to execute
code of their choosing on an affected host.
Detection:
Spoofed Connection Request Vulnerability - CAN-2005-0688
A Land attack will be detected by the Snort rule with sid 527 and a message
of "BAD-TRAFFIC same SRC/DST".
TCP Connection Reset Vulnerability - CAN-2004-0230
A BGP reset attack will be detected by the signature with sid 2523 and a
message of "DOS BGP spoofed connection reset attempt". While other TCP services
may be vulnerable, they often do not maintain a persistent state or a period
of inactivity where the TCP sequence number does not change. This makes it more
difficult to reset the connection.
IP Validation Vulnerability - CAN-2005-0048
The Snort decoder recognizes the presence of truncated IP options.
The event will appear in Snort logs as:
[**] [116:5:1] (snort_decoder): Truncated Ipv4 Options [**]
References:
Microsoft Security Bulletin MS05-019
http://www.microsoft.com/technet/security/Bulletin/ms05-019.mspx
About the VRT:
The Sourcefire VRT is a group of leading edge intrusion detection and
prevention experts working to proactively discover, assess and respond
to the latest trends in hacking activity, intrusion attempts and
vulnerabilities. This team is also supported by the vast resources of
the open source Snort community, making it the largest group dedicated
to advances in network security industry.
Posted by on Apr 14, 2005
Sourcefire VRT Certified Rule Update
Date: 2005-04-12
Synopsis:
The Sourcefire Vulnerability Research Team (VRT) has learned of serious
vulnerabilities affecting Microsoft Internet Explorer and the Microsoft
Windows operating system.
Details:
Dynamic HTML extends static HTML pages to allow interactive web pages to
be easily created. A flaw in the Microsoft Internet Explorer DHTML
Engine may allow an attacker to exploit a race condition and possibly
execute code of their choosing on the victim host with the privileges of
the user running Internet Explorer.
Internet Explorer allows various DHTML objects to be used via
Javascript. Poor memory management in the object handling code of
Internet Explorer may allow an attacker to overwrite portions of memory
and execute code of their choosing on a vulnerable host.
Rules to detect attacks against this vulnerability are included in this
rule pack and are identified as sids 3549 and 3553.
A programming error in Microsoft Internet Explorer may allow an attacker
to execute code of their choosing on a vulnerable host. Specifically,
the error lies in the handling of hostnames longer than 256 characters.
When IE tries to process a hostname of this length or longer, the
process may crash or cause the application to become unstable,
presenting the attacker with an opportunity to execute code of their
choosing on an affected system.
A Rule to detect attacks against this vulnerability is included in this
rule pack and is identified as sid 3550.
Microsoft Windows has design errors that may enable an attacker to
execute code of their choosing on a vulnerable system. Specifically, it
is possible to execute code from objects not marked as executable.
Microsoft OLE2 allows objects to be executed by integrating
applications. The Class ID (CLSID) of an object allows objects to be
loaded by multiple applications. This CLSID is embedded in the object
and may be manipulated by an attacker to force an application into
executing code of the attackers choosing.
Specifically, the CLSID can be made to point at the Microsoft HTML
Application Host (MSHTA). MSHTA.EXE will process each line of a file and
execute any script code it finds.
Rules to detect attacks against this vulnerability are included in this
rule pack and are identified as sids 3551 and 3552.
Rule Pack Summary:
For a complete list of new and modified rules, click
here.
Warning:
Sourcefire VRT rule packs often utilize enhancements made to Snort. Operators should
upgrade to the latest revision or patch level for Snort to ensure these enhancements are
available before using these rules.
About the VRT:
The Sourcefire VRT is a group of leading edge intrusion detection and
prevention experts working to proactively discover, assess and respond
to the latest trends in hacking activity, intrusion attempts and
vulnerabilities. This team is also supported by the vast resources of
the open source Snort community, making it the largest group dedicated
to advances in network security industry.
Posted by on Apr 12, 2005
Sourcefire VRT Certified Rule Update
Date: 2005-04-05
Synopsis:
The Sourcefire Vulnerability Research Team (VRT) has learned of serious
vulnerabilities affecting various implementations of Telnet.
Details:
The Telnet protocol can be used to remotely connect machines over a
networked connection. A telnet client and server can negotiate various
options such as the character set to be used in the communication
exchange. Various environment variables can also be set by issuing
commands from the client.
Programming errors in the telnet client code from various vendors may
present an attacker with the opportunity to overflow a fixed length
buffer.
Rules to detect attacks against this vulnerability are included in this
rule pack and are identified as sids 3533 and 3537.
Rule Pack Summary:
For a complete list of new and modified rules, click
here.
Warning:
Sourcefire VRT rule packs often utilize enhancements made to Snort. Operators should
upgrade to the latest revision or patch level for Snort to ensure these enhancements are
available before using these rules.
About the VRT:
The Sourcefire VRT is a group of leading edge intrusion detection and
prevention experts working to proactively discover, assess and respond
to the latest trends in hacking activity, intrusion attempts and
vulnerabilities. This team is also supported by the vast resources of
the open source Snort community, making it the largest group dedicated
to advances in network security industry.
Posted by on Apr 05, 2005
