Thank you, Blake. It's a great signature!
I'd guess that most servers that will be observed (in
the near term) off the default ports will be
malicious. If Apple doesn't get this fixed, it's
possible that the RBN will improve on the exploit at
1800-search.com as people start blocking TCP 554 and
UDP 6970 through 6999. Most enterprise admins are
more likely to block those ports than try to set a
kill bit on individual machines.
James
--- bleeding-sigs-request bleedingthreats.net wrote:
> Send Bleeding-sigs mailing list submissions to
> bleeding-sigsbleedingthreats.net
>
> To subscribe or unsubscribe via the World Wide Web,
> visit
>
>
http://lists.bleedingthreats.net/cgi-bin/
mailman/listinfo/bleeding-sigs
>
> or, via email, send a message with subject or body
> 'help' to
> bleeding-sigs-requestbleedingthreats.net
>
> You can reach the person managing the list at
> bleeding-sigs-ownerbleedingthreats.net
>
> When replying, please edit your Subject line so it
> is more specific
> than "Re: Contents of Bleeding-sigs
digest..."
>
>
> Today's Topics:
>
> 1. Re: Quicktime RTSP (Blake Hartstein)
>
>
>
------------------------------------------------------------
----------
>
> Message: 1
> Date: Mon, 03 Dec 2007 19:05:06 -0500
> From: Blake Hartstein <urule99gmail.com>
> Subject: Re: [Bleeding-sigs] Quicktime RTSP
> To: jimjamesmcquaid.com, Bleeding Sigs
> <bleeding-sigsbleedingthreats.net>
> Message-ID: <475499B2.6090906gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> I'm sure you are already aware of active
> exploitation surrounding the
> Quicktime Vulnerability on Windows and OSX. All
> servers I've seen use
> the default port 554/tcp so far, but despite that
> and other community
> input, I modified to rules to "any" port.
>
> Thanks James, (*and Joel Esler). I've also added a
> udp rule of the same
> flavor.
>
> Let me know if you have other suggestions. Thanks,
> -Blake
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:
> "BLEEDING-EDGE
> WEB-CLIENT Apple Quicktime RTSP Content-Type
> overflow attempt";
> flow:established,from_server;
content:"RTSP/";
> nocase; depth:5;
> content:"|0a|Content-Type|3a|"; nocase;
distance:0;
> content:!"|0a|";
> within:50;
> reference:url,www.kb.cert.org/vuls/id/659761;
> reference:
> url,www.milw0rm.com/exploits/4657;
> classtype:attempted-user;
> sid:2007703; rev:3; )
> alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:
> "BLEEDING-EDGE
> WEB-CLIENT Apple Quicktime RTSP Content-Type
> overflow attempt";
> content:"RTSP/"; nocase; depth:5;
> content:"|0a|Content-Type|3a|";
> nocase; distance:0; content:!"|0a|";
within:50;
> reference:url,www.kb.cert.org/vuls/id/659761;
> reference:
> url,www.milw0rm.com/exploits/4657;
> classtype:attempted-user;
> sid:2007704; rev:1; )
>
>
>
> Jim McQuaid wrote:
> > Thank you, Andre, Blake and Chris!
> >
> > This is most useful for us (Mac clients, iTunes
on
> > Windows, etc.).
> >
> > Using 'any' port may be best for those not
> filtering
> > ports. Joel Esler has a great post at ISC,
> "Blocking
> > the RTSP protocol with proxy or firewall rules
may
> > help mitigate this vulnerability. Note that RTSP
> > (default 554/tcp and 6970-6999/udp) may use a
> variety
> > of port numbers, so blocking the protocol based
on
> a
> > particular port may not be sufficient."
> >
>
>
> ------------------------------
>
> _______________________________________________
> Bleeding-sigs mailing list
> Bleeding-sigsbleedingthreats.net
>
http://lists.bleedingthreats.net/cgi-bin/
mailman/listinfo/bleeding-sigs
>
>
> End of Bleeding-sigs Digest, Vol 15, Issue 2
> ********************************************
>
_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigsbleedingthreats.net
http://lists.bleedingthreats.net/cgi-bin/
mailman/listinfo/bleeding-sigs
|
