VRT Advisories


VRT Rules 2005-06-15

Sourcefire VRT Certified Rules Update

Date: 2005-06-15

Synopsis:

The Sourcefire Vulnerability Research Team (VRT) has learned of serious vulnerabilities affecting various vendor Telnet client software and Microsoft Internet Explorer.

Details:

A telnet client and server can negotiate various options such as the character set to be used in the communication exchange. One particular option allows a client or server to send new environment options. Certain telnet clients will respond to a telnet server that issues a new environment send command for a particular environment variable, such as the current user. This information disclosure can be valuable to a potential attacker. Although this vulnerability affects multiple vendors it is also addressed in the Microsoft advisory MS05-033.

Rules to detect attacks against this vulnerability are included in this rule pack and are identified as sids 3687 and 3688.

Internet Explorer has an optional feature known as Content Advisor that allows unsuitable content to be blocked. The Content Advisor uses a ratings description file to determine what is considered to be unsuitable content. The ratings description file contains several statements including a name statement. An overly long value supplied to a specific name statement can cause a buffer overflow and the subsequent execution of arbitrary code.

A rule to detect attacks against this vulnerbility is included in this rule pack and is identified as sid 3686.

A vulnerability exists in the way Internet Explorer handles the transparency chunk of a PNG file, enabling a buffer overflow and the subsequent execution of arbitrary code on a vulnerable client. This vulnerability is addressed in the Microsoft advisory MS05-025.

A rule to detect attacks against this vulnerbility is included in this rule pack and is identified as sid 3689.

Rule Pack Summary:

For a complete list of new and modified rules, click here.

Warning:

Sourcefire VRT rule packs often utilize enhancements made to Snort. Operators should upgrade to the latest revision or patch level for Snort to ensure these enhancements are available before using these rules.

About the VRT:

The Sourcefire VRT is a group of leading edge intrusion detection and prevention experts working to proactively discover, assess and respond to the latest trends in hacking activity, intrusion attempts and vulnerabilities. This team is also supported by the vast resources of the open source Snort community, making it the largest group dedicated to advances in network security industry.