Re: 0-day ANI vulnerability in Microsoft Windows (CVE-2007-0038)
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig49A5CB1C8EF5BAEC83263496
Content-Type: text/plain; charset=ISO-8859-2
Content-Transfer-Encoding: quoted-printable
Jan Wrobel wrote:
> I don't know if this rule detects all possible exploits or just one
> particular type. Here is a Firekeeper version of the rule, which can
> be used to detect sites hosting malicious files:
>=20
> alert (msg:"BLEEDING-EDGE CURRENT EVENTS MS ANI exploit"; body_content:=
"|54 53 49 4C 03 00 00 00 00 00 00 00 54 53 49 4C 04 00 00 00 02 02 02 02=
61 6E 69 68 52|"; reference:url,http://isc.sans.org/diary.html?storyid=3D=
2534; reference:url,http://www.avertlabs.com/research/blog/?p=3D233; refe=
rence:url,doc.bleedingthreats.net/2003519; fid:2003519; rev:1;)
A better way would be to look for all files that start with "RIFF" and co=
ntain
two copies of the string "anih", the first one followed by the dword 0x24=
, the
second one followed by a dword that's not 0x24. This should detect the
exploitation of the stack overflow with no false negatives. To avoid fals=
e
positives, you'll need code to parse all records in the ANI file and chec=
k for
more an "anih" record with a size not equal to 0x24.
Here's the regexp in Perl (somebody please convert it to a Snort rule)
/^RIFF.*anih\x24\x00\x00\x00.*anih(?!\x24\x00\x00\x00)/
Alex
--------------enig49A5CB1C8EF5BAEC83263496
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Cygwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFGDatQTS+0yyhMJeMRAsCVAJ97/FU6dMehvyQh6SN4AyY3MMkbNgCgiFFN
h/uNOH6OOcs4jZZrmi17QTI=
=ga8u
-----END PGP SIGNATURE-----
--------------enig49A5CB1C8EF5BAEC83263496--
討論串 (同標題文章)
完整討論串 (本文為第 3 之 4 篇):