Hi,
I found it's also possible to initialize using the
following,
<xml:namespace
ns="urn:schemas-microsoft-com:vml"
prefix="v"/>
<object id="VMLRender"
codebase="vgx.dll"
classid="CLSID:10072CEC-8CC1-11D1-986E-00A0C955B42E&q
uot;>
I would recommend a rule change to detect the overflow case,
since there
are legitimate uses of this library, although it looks like
it is old,
it doesn't mean it is malicious.
I propose the following rule which detects an overly large
value for the
method field
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
(msg:"BLEEDING-EDGE
Microsoft Internet Explorer VML Exploit";
flow:established,to_client;
content:"urn\:schemas-microsoft-com\:vml";
nocase;
content:"CLSID\:10072CEC-8CC1-11D1-986E-00A0C955B42E
"; nocase;
content:"method"; nocase; distance:0;
pcre:"/^[ \n]*=[
\n'"]*[^'"]/Ri";
reference:cve,2006-4868; reference:bugtraq,20096;
classtype:attempted-user; sid:2003???; rev:1; )
Thoughts?
-Blake
Posted to bleeding bleeding also.
Michael Hale Ligh wrote:
> Yeah totally, its a tough one for IDS.
>
> Frank Knobbe wrote:
>
>> On Wed, 2006-09-20 at 04:02 -0500, Michael Hale
Ligh wrote:
>>
>>> For sid:2003106, the content criteria might be
a little too strict
>>> regarding whitespace and object names.
>>>
>>> content:"<html
xmlns|3a|v=|22|urn|3a|schemas-microsoft-com|3a|vml|22|>&
quot;;
>>>
>>> The exploit will work with:
>>>
>>> <html xmlns...
>>> <html xmlns:v ="urn...
>>> <html xmlns:v= "urn...
>>> <html xmlns:v=" urn...
>>> <html xmlns:v="urn :schemas...
>>>
>> and tons of others, yeah. Hey, I just committed it,
I didn't submit
>> it ;)
>> I don't think this issue can be caught. Too many
possible ways of
>> evasion. However, I was hoping that the signature
was submitted in
>> response to an actual exploit seen. It should at
least match that
>> particular one ... at least for a little bit 
>>
>> Setting a killbit in IE for VML is probably best
>>
>> Cheers,
>> Frank
>>
>>
> _______________________________________________
> Bleeding-sigs mailing list
> Bleeding-sigsbleedingsnort.com
> http://lists.bleedingsnort.com/mailman/listinfo/ble
eding-sigs
>
--
This email and any files transmitted with it are solely
intended for the use of the addressee(s) and may contain
information that is confidential and privileged. If you
receive this email in error, please advise us by return
email immediately. Please also disregard the contents of the
email, delete it and destroy any copies immediately. Demarc
Security, Inc. does not accept liability for the views
expressed in the email or for the consequences of any
computer viruses that may be transmitted with this email.
This email is also subject to copyright. No part of it
should be reproduced, adapted or transmitted without the
written consent of the copyright owner.
_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigsbleedingsnort.com
http://lists.bleedingsnort.com/mailman/listinfo/ble
eding-sigs
|