VRT Rules 2005-11-09
Sourcefire VRT Certified Rules Update
The Sourcefire Vulnerability Research Team (VRT) has learned of vulnerabilities affecting the Microsoft Windows shell environment, Oracle, Samba and Macromedia Flash. The Sourcefire VRT has also enhanced detection for a number of rules issued in previous rule pack releases.
A vulnerability in the way that the Windows shell handles the file properties of a shortcut file may allow an attacker to overflow a fixed length buffer and execute code of their choosing on the target system.
Rules to detect attempts to exploit this vulnerability are included in this rule pack and are identified as sids 4643 and 4644.
A vulnerability exists in the Oracle Enterprise Manager Application Server Control application. This application does not properly check the length of user supplied data in parameters sent to the listening service. An attacker may be able to overflow a fixed length buffer and execute code of their choosing on an affected system.
Rules to detect attempts to exploit this vulnerability are included in this rule pack and are identified as sids 4642, 4646 and 4677.
A vulnerability in Samba exists due to a programming error which may present an attacker with the opportunity to exploit the service and run code of their choosing on an affected system. The attacker may also cause a DoS condition in the service or possibly gain unauthorized access to the target host.
Rules to detect attempts to exploit this vulnerability are included in this rule pack and are identified as sids 4651 through 4674.
A programming error in certain versions of the Macromedia Flash Player may allow an attacker to run code of their choosing on a victim host. The Player does not perform stringent bounds checking when processing flash movies, which may permit an attacker to include code of their choosing into a malicious flash format file.
A rule to detect attempts to exploit this vulnerability is included in this rule pack and is identified as sid 4675.
Rule Pack Summary:
For a complete list of new and modified rules, click here.
Sourcefire VRT rule packs often utilize enhancements made to Snort. Operators should upgrade to the latest revision or patch level for Snort to ensure these enhancements are available before using these rules.
About the VRT:
The Sourcefire VRT is a group of leading edge intrusion detection and prevention experts working to proactively discover, assess and respond to the latest trends in hacking activity, intrusion attempts and vulnerabilities. This team is also supported by the vast resources of the open source Snort community, making it the largest group dedicated to advances in network security industry.