VRT Advisories


April 2005 Archive

VRT Rules 2005-04-20

Sourcefire VRT Certified Rules Update

Date: 2005-04-20

Synopsis:

After continuing research into to the Microsoft Security Bulletin (MS05-021) released on Tuesday April 12 2005, the Sourcefire Vulnerability Research Team (VRT) has released a new rule to detect possible attempts to exploit a vulnerability associated with an extended verb request in Microsoft Exchange servers. The Sourcefire VRT has received reliable reports that a worm that uses this vulnerablity to propogate is being developed.

Details:

Microsoft Exchange Servers are able to use extensions to the SMTP protocol to help communicate between Exchange servers. The "X-Link2State" verb is used to share routing information between Exchange servers.

A buffer overflow condition in the processing of this command may present an attacker with the opportunity to execute code of their choosing on an affected host.

A rule to detect attacks against this vulnerability is included in this rule pack and is identified as sid 3627.

Warning:

This rule will generate false positive events on normal traffic between Exchange servers. If these extensions are implemented in a network where Exchange servers are used, administrators should configure this rule as appropriate for their environment.

Rule Pack Summary:

For a complete list of new and modified rules, click here.

Warning:

Sourcefire VRT rule packs often utilize enhancements made to Snort. Operators should upgrade to the latest revision or patch level for Snort to ensure these enhancements are available before using these rules.

About the VRT:

The Sourcefire VRT is a group of leading edge intrusion detection and prevention experts working to proactively discover, assess and respond to the latest trends in hacking activity, intrusion attempts and vulnerabilities. This team is also supported by the vast resources of the open source Snort community, making it the largest group dedicated to advances in network security industry.

Posted by on Apr 20, 2005



VRT Rules 2005-04-18

Sourcefire VRT Certified Rule Update

Date: 2005-04-18

Synopsis:

After continuing research into to the Microsoft Security Bulletin (MS05-017) released on Tuesday April 12 2005, the Sourcefire Vulnerability Research Team (VRT) has released a number of new rules to detect possible attempts to exploit the vulnerability. Additionally a rule to detect attempts to cause a Denial of Service using spoofed ICMP messages is also included in this rule pack.

Details:

Microsoft Message Queuing (MSMQ) enables messages to be queued for delivery at opportune times. Applications can query the message queue as they come online or at scheduled times.

A programming error in the MSMQ subsystem may present an attacker with the opportunity to overflow a fixed length buffer and execute code of their choosing on an affected host.

Rules to detect attacks against this vulnerability are included in this rule pack and are identified as sids 3554 through 3625.

The ICMP path MTU message informs a host that the packet size it has sent must be fragmented and will be dropped unless it is reduced to the designated MTU. It may be possible for an attacker to send a spoofed ICMP path MTU message to a host causing it to send very small packets. This may then result in the host experiencing a Denial of Service (DoS).

A rule to detect attacks against this vulnerability is included in this rule pack and is identified as sid 3626.

Rule Pack Summary:

For a complete list of new and modified rules, click here.

Warning:

Sourcefire VRT rule packs often utilize enhancements made to Snort. Operators should upgrade to the latest revision or patch level for Snort to ensure these enhancements are available before using these rules.

About the VRT:

The Sourcefire VRT is a group of leading edge intrusion detection and prevention experts working to proactively discover, assess and respond to the latest trends in hacking activity, intrusion attempts and vulnerabilities. This team is also supported by the vast resources of the open source Snort community, making it the largest group dedicated to advances in network security industry.

Posted by on Apr 18, 2005



VRT Rules 2005-04-14

Sourcefire VRT Certified Rule Update

Date: 2005-04-14

Synopsis:

After continuing research into to the Microsoft Security Bulletin (MS05-019) released on Tuesday April 12 2005, the Sourcefire Vulnerability Research Team (VRT) has determined that existing rules and pre-processors will generate events if attempts are made to exploit the vulnerabilities outlined in the bulletin.

Details:

Spoofed Connection Request Vulnerability - CAN-2005-0688
A Denial of Service vulnerability exists in Microsoft Windows XP Service Pack 2 and Windows Server 2003 hosts from a specially crafted TCP packet.

To exploit this DoS condition, an attacker sends a TCP SYN packet with the same source and destination IP address and port. This is known as a "Land Attack" and while it has been around for many years, most operating systems have addressed the vulnerability.

Networks that do ingress and egress filtering correctly will not allow a spoofed packet inbound that has an identical source and destination IP address.

TCP Connection Reset Vulnerability - CAN-2004-0230
A denial of service vulnerability exists in Microsoft hosts that may permit an existing TCP connection to be reset.

Many TCP services such as BGP require a persistent TCP connection. A vulnerability in the core implementation of TCP may make it possible for an attacker to reset a number of connections and cause a Denial of Service (DoS) to occur.

The attack is possible because the listening service will accept a TCP sequence number within a range of what is expected in an established session. Since BGP and other services rely on an established TCP session state, guessing a suitable sequence number to reset connections is feasible.

IP Validation Vulnerability - CAN-2005-0048
A denial of service vulnerability exists in Microsoft Windows Windows 98, 98 SE, ME, Windows 2000 and Windows XP Service Pack 1 hosts that may cause a denial of service or possibly result in execution of arbitrary code on a vulnerable host.

The operating systems above fail to properly validate improperly formatted multi-byte IP options. These options have a standard format of IP option code, IP option length, and IP option data.

The failure to drop a malformed IP option causes the operating system to misinterpret the data that follows. This can cause memory access violations that halt the kernel and cause a DoS condition to occur. Successful exploitation of this issue may allow an attacker to execute code of their choosing on an affected host.

Detection:

Spoofed Connection Request Vulnerability - CAN-2005-0688
A Land attack will be detected by the Snort rule with sid 527 and a message of "BAD-TRAFFIC same SRC/DST".

TCP Connection Reset Vulnerability - CAN-2004-0230
A BGP reset attack will be detected by the signature with sid 2523 and a message of "DOS BGP spoofed connection reset attempt". While other TCP services may be vulnerable, they often do not maintain a persistent state or a period of inactivity where the TCP sequence number does not change. This makes it more difficult to reset the connection.

IP Validation Vulnerability - CAN-2005-0048
The Snort decoder recognizes the presence of truncated IP options.

The event will appear in Snort logs as:
[**] [116:5:1] (snort_decoder): Truncated Ipv4 Options [**]

References:

Microsoft Security Bulletin MS05-019
http://www.microsoft.com/technet/security/Bulletin/ms05-019.mspx

About the VRT:

The Sourcefire VRT is a group of leading edge intrusion detection and prevention experts working to proactively discover, assess and respond to the latest trends in hacking activity, intrusion attempts and vulnerabilities. This team is also supported by the vast resources of the open source Snort community, making it the largest group dedicated to advances in network security industry.

Posted by on Apr 14, 2005



VRT Rules 2005-04-12

Sourcefire VRT Certified Rule Update

Date: 2005-04-12

Synopsis:

The Sourcefire Vulnerability Research Team (VRT) has learned of serious vulnerabilities affecting Microsoft Internet Explorer and the Microsoft Windows operating system.

Details:

Dynamic HTML extends static HTML pages to allow interactive web pages to be easily created. A flaw in the Microsoft Internet Explorer DHTML Engine may allow an attacker to exploit a race condition and possibly execute code of their choosing on the victim host with the privileges of the user running Internet Explorer.

Internet Explorer allows various DHTML objects to be used via Javascript. Poor memory management in the object handling code of Internet Explorer may allow an attacker to overwrite portions of memory and execute code of their choosing on a vulnerable host.

Rules to detect attacks against this vulnerability are included in this rule pack and are identified as sids 3549 and 3553.

A programming error in Microsoft Internet Explorer may allow an attacker to execute code of their choosing on a vulnerable host. Specifically, the error lies in the handling of hostnames longer than 256 characters. When IE tries to process a hostname of this length or longer, the process may crash or cause the application to become unstable, presenting the attacker with an opportunity to execute code of their choosing on an affected system.

A Rule to detect attacks against this vulnerability is included in this rule pack and is identified as sid 3550.

Microsoft Windows has design errors that may enable an attacker to execute code of their choosing on a vulnerable system. Specifically, it is possible to execute code from objects not marked as executable.

Microsoft OLE2 allows objects to be executed by integrating applications. The Class ID (CLSID) of an object allows objects to be loaded by multiple applications. This CLSID is embedded in the object and may be manipulated by an attacker to force an application into executing code of the attackers choosing.

Specifically, the CLSID can be made to point at the Microsoft HTML Application Host (MSHTA). MSHTA.EXE will process each line of a file and execute any script code it finds.

Rules to detect attacks against this vulnerability are included in this rule pack and are identified as sids 3551 and 3552.

Rule Pack Summary:

For a complete list of new and modified rules, click here.

Warning:

Sourcefire VRT rule packs often utilize enhancements made to Snort. Operators should upgrade to the latest revision or patch level for Snort to ensure these enhancements are available before using these rules.

About the VRT:

The Sourcefire VRT is a group of leading edge intrusion detection and prevention experts working to proactively discover, assess and respond to the latest trends in hacking activity, intrusion attempts and vulnerabilities. This team is also supported by the vast resources of the open source Snort community, making it the largest group dedicated to advances in network security industry.

Posted by on Apr 12, 2005



VRT Rules 2005-04-05

Sourcefire VRT Certified Rule Update

Date: 2005-04-05

Synopsis:

The Sourcefire Vulnerability Research Team (VRT) has learned of serious vulnerabilities affecting various implementations of Telnet.

Details:

The Telnet protocol can be used to remotely connect machines over a networked connection. A telnet client and server can negotiate various options such as the character set to be used in the communication exchange. Various environment variables can also be set by issuing commands from the client.

Programming errors in the telnet client code from various vendors may present an attacker with the opportunity to overflow a fixed length buffer.

Rules to detect attacks against this vulnerability are included in this rule pack and are identified as sids 3533 and 3537.

Rule Pack Summary:

For a complete list of new and modified rules, click here.

Warning:

Sourcefire VRT rule packs often utilize enhancements made to Snort. Operators should upgrade to the latest revision or patch level for Snort to ensure these enhancements are available before using these rules.

About the VRT:

The Sourcefire VRT is a group of leading edge intrusion detection and prevention experts working to proactively discover, assess and respond to the latest trends in hacking activity, intrusion attempts and vulnerabilities. This team is also supported by the vast resources of the open source Snort community, making it the largest group dedicated to advances in network security industry.

Posted by on Apr 05, 2005