[Mimedefang] OT:sa rule to catch ie exploit

Kevin A. McGrail kmcgrail at pccc.com
Fri Jan 23 09:17:03 EST 2004


Lucas,

I looked at this same problem pretty heavily a few weeks ago and have a
couple of comments / questions:

1st, with SA I am 99.9% certain you don't need to do the http[s] test.  The
URI scan system will only pass in url strings and it is theoretical that IE
will completely parse a URL without the http[s] so I leave that part of the
scanning to SA.

2nd, your rule won't match the 5th url below.  I also don't believe the 5th
URL is a valid exploit.  I couldn't get it to work in IE or Mozilla.

3rd, I can't think of a legit reason to do a %00 or %01 in a url to begin
with so I scored it much much higher.

In conclusion, I can't find a reason not to continue using this test and
thought it would be helpful to repost it for comment now that there is some
interest in it.

uri KAM_URIPARSE       /(\%0[01]|\0).*\@/i
describe KAM_URIPARSE    Attempted use of URI bug.  Very high probability of
fraud.
score KAM_URIPARSE     7.00

regards,
KAM

> Rule to detect IE exploit.
>
> Your mileage may vary.
>
> Will match these exploits:
> Replace ttp with http (so it will slip by my scanner and mcafee.)
>
> ttp://www.trusted_site.com%01%00@malicious_site.com/malicious.html
> ttp://www.trusted_site.com%01@malicious_site.com/malicious.html
> ttp://www.trusted_site.com%00@malicious_site.com/malicious.html
> ttp://www.trusted.com%00@www.malicious.com
> ttp://www.malicious.com%C0%80@www.trusted.com/
>
> Attached is the sa local.cf rule to do this.
> I recommend you leave it at the default level and see what you catch
> before raising the score.
>
> uri IE_ADDRESS_SPOOF_EXPLOIT  /^https?\:\/\/[^\/\s].*%0[1|0]@/
> describe IE_ADDRESS_SPOOF_EXPLOIT       Message contains IE address spoof
> score IE_ADDRESS_SPOOF_EXPLOIT .01
>
> You can see the regexp match by putting these items in a file and running
> this from the command line against a file:
>
> perl -ne 'print if s/(https?\:\/\/[^\/\s].*%0[1|0]@)/$1/' /tmp/test.txt



More information about the MIMEDefang mailing list