VRT Rules 2005-07-22
Sourcefire VRT Certified Rules Update
The Sourcefire Vulnerability Research Team (VRT) has learned of serious vulnerabilities affecting Microsoft Windows, RealPlayer, MailEnable, the PHP XML-RPC module and FutureSoft TFTP server.
A programming error in the processing of malformed InfoTech protocol messages used by Microsoft help, can lead to the exposure of a buffer overflow condition. An attacker may be able to overflow this buffer and supply code of their choosing to be executed on the system with the privileges of the administrative account. In addition, applications may treat Windows Help as a trusted program and further exploitation and host firewall bypass may be possible.
Rules to detect attacks against this vulnerability are included in this rule pack and are identified as sids 3819 through 3821.
The RealPlayer media player uses RealText to support streaming text documents. A vulnerability exists in the way RealPlayer handles a malformed request for a .rt file that contains an incorrect RealText version number. If an overly long .rt filename is requested and an incorrect RealText version is specified, a buffer allocated to handle error conditions can be overflowed. This may permit the execution of arbitrary code.
Rules to detect attacks against this vulnerability are included in this rule pack and are identified as sids 3822 through 3823.
MailEnable is a Windows-based mail server. A vulnerability exists in the MailEnable SMTP server, possibly allowing a denial of service or the execution of arbitrary code with system privileges.
A Rule to detect attacks against this vulnerability is included in this rule pack and is identified as sid 3824.
A vulnerability exists in the PHP XML-RPC module that may allow unauthorized users to execute arbitrary commands. No user authentication is required to execute these commands.
A Rule to detect attacks against this vulnerability is included in this rule pack and is identified as sid 3827.
A vulnerability exists in the FutureSoft TFTP server when processing overly long read or write requests for either a file name or transfer mode string. This may cause a buffer overflow and the subsequent execution of arbitrary commands on a vulnerable server.
Rules to detect attacks against this vulnerability are included in this rule pack and are identified as sids 3817 through 3818.
Rule Pack Summary:
For a complete list of new and modified rules, click here.
Sourcefire VRT rule packs often utilize enhancements made to Snort. Operators should upgrade to the latest revision or patch level for Snort to ensure these enhancements are available before using these rules.
About the VRT:
The Sourcefire VRT is a group of leading edge intrusion detection and prevention experts working to proactively discover, assess and respond to the latest trends in hacking activity, intrusion attempts and vulnerabilities. This team is also supported by the vast resources of the open source Snort community, making it the largest group dedicated to advances in network security industry.