[Mimedefang] OT:sa rule to catch ie exploit
Kevin A. McGrail
kmcgrail at pccc.com
Fri Jan 23 09:17:03 EST 2004
Lucas,
I looked at this same problem pretty heavily a few weeks ago and have a
couple of comments / questions:
1st, with SA I am 99.9% certain you don't need to do the http[s] test. The
URI scan system will only pass in url strings and it is theoretical that IE
will completely parse a URL without the http[s] so I leave that part of the
scanning to SA.
2nd, your rule won't match the 5th url below. I also don't believe the 5th
URL is a valid exploit. I couldn't get it to work in IE or Mozilla.
3rd, I can't think of a legit reason to do a %00 or %01 in a url to begin
with so I scored it much much higher.
In conclusion, I can't find a reason not to continue using this test and
thought it would be helpful to repost it for comment now that there is some
interest in it.
uri KAM_URIPARSE /(\%0[01]|\0).*\@/i
describe KAM_URIPARSE Attempted use of URI bug. Very high probability of
fraud.
score KAM_URIPARSE 7.00
regards,
KAM
> Rule to detect IE exploit.
>
> Your mileage may vary.
>
> Will match these exploits:
> Replace ttp with http (so it will slip by my scanner and mcafee.)
>
> ttp://www.trusted_site.com%01%00@malicious_site.com/malicious.html
> ttp://www.trusted_site.com%01@malicious_site.com/malicious.html
> ttp://www.trusted_site.com%00@malicious_site.com/malicious.html
> ttp://www.trusted.com%00@www.malicious.com
> ttp://www.malicious.com%C0%80@www.trusted.com/
>
> Attached is the sa local.cf rule to do this.
> I recommend you leave it at the default level and see what you catch
> before raising the score.
>
> uri IE_ADDRESS_SPOOF_EXPLOIT /^https?\:\/\/[^\/\s].*%0[1|0]@/
> describe IE_ADDRESS_SPOOF_EXPLOIT Message contains IE address spoof
> score IE_ADDRESS_SPOOF_EXPLOIT .01
>
> You can see the regexp match by putting these items in a file and running
> this from the command line against a file:
>
> perl -ne 'print if s/(https?\:\/\/[^\/\s].*%0[1|0]@)/$1/' /tmp/test.txt
More information about the MIMEDefang
mailing list