Hey,
For sid:2003106, the content criteria might be a little too
strict
regarding whitespace and object names.
content:"<html
xmlns|3a|v=|22|urn|3a|schemas-microsoft-com|3a|vml|22|>&
quot;;
The exploit will work with:
<html xmlns...
<html xmlns:v ="urn...
<html xmlns:v= "urn...
<html xmlns:v=" urn...
<html xmlns:v="urn :schemas...
It also works with carriage returns and/or tabs e.g.,
<html xmlns:v="urn
:schemas...
<html
xmlns:v="urn<tab><tab><tab>:schemas.
..
Perhaps of greater concern is the object doesn't need to be
"v" - its
just what the first exploit used and probably is being cut
& pasted by
everyone else. It can just as easy be "x" or any
other letter or any
other combination of letters and numbers.
If you want, it will also work as:
<html xmlns =&qu
ot;urn:blahblah-blah-net:vml">
Or for that matter, the following also works.
<html xmlns>
So really all that needs to happen is x being defined as
xmlns, where x
can be whatever you want, except special chars, and x needs
a behavior
which is what happens within the <style></style>
tags. Only problem with
matching on the contents of the <style> tags is it
conforms perfectly
with protocol and will trigger on any site that uses VML
with a url
behavior, even for legit reasons.
M
Frank Knobbe wrote:
> # Submitted 2006-09-18 by Christian Seifert
>
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
(msg:"BLEEDING-EDGE
> EXPLOIT Microsoft Multimedia Controls - ActiveX
control's spline
> function call CSLID";
flow:from_server,established; content:"CLSID";
> nocase;
content:"D7A7D7C3-D47F-11D0-89D3-00A0C90833E6";
nocase;
> content:".Spline|28|"; nocase;
>
reference:url,www.osvdb.org/displayvuln.php?osvdb_id=28841;
> classtype:attempted-user; sid:2003102; rev:1;)
>
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
(msg:"BLEEDING-EDGE
> EXPLOIT Microsoft Multimedia Controls - ActiveX
control's spline
> function call Object";
flow:from_server,established;
> content:"ActiveXObject"; nocase;
content:"DirectAnimation.PathControl";
> nocase; content:".Spline|28|"; nocase;
>
reference:url,www.osvdb.org/displayvuln.php?osvdb_id=28841;
> classtype:attempted-user; sid:2003103; rev:1;)
>
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
(msg:"BLEEDING-EDGE
> EXPLOIT Microsoft Multimedia Controls - ActiveX
control's KeyFrame
> function call CSLID";
flow:from_server,established; content:"CLSID";
> nocase;
content:"D7A7D7C3-D47F-11D0-89D3-00A0C90833E6";
nocase;
> content:".KeyFrame|28|"; nocase;
>
reference:url,www.osvdb.org/displayvuln.php?osvdb_id=28842;
> classtype:attempted-user; sid:2003104; rev:1;)
>
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
(msg:"BLEEDING-EDGE
> EXPLOIT Microsoft Multimedia Controls - ActiveX
control's KeyFrame
> function call Object";
flow:from_server,established;
> content:"ActiveXObject"; nocase;
content:"DirectAnimation.PathControl";
> nocase; content:".KeyFrame|28|"; nocase;
>
reference:url,www.osvdb.org/displayvuln.php?osvdb_id=28842;
> classtype:attempted-user; sid:2003105; rev:1;)
>
> # Submitted 2006-09-19 by Chris Harrington
>
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
(msg:"BLEEDING-EDGE
> EXPLOIT Possible MSIE VML Exploit";
flow:established,from_server;
> content:"<html
xmlns|3a|v=|22|urn|3a|schemas-microsoft-com|3a|vml|22|>&
quot;;
> nocase;
>
reference:url,sunbeltblog.blogspot.com/2006/09/seen-in-wild-
zero-day-exploit-being.html; classtype:misc-attack;
sid:2003106; rev:1;)
>
>
>
>
>
>
------------------------------------------------------------
------------
>
> _______________________________________________
> Bleeding-sigs mailing list
> Bleeding-sigs bleedingsnort.com
> http://lists.bleedingsnort.com/mailman/listinfo/ble
eding-sigs
_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigsbleedingsnort.com
http://lists.bleedingsnort.com/mailman/listinfo/ble
eding-sigs
|
Setting a killbit in IE for VML is probably best