Hosting Provided By

[Snort-sigs] [Fwd: Snort Signature for WedDAV]

From: Frank Knobbe <fknobbe(at)knobbeits.com>
Date: Thu Mar 20 2003 - 19:13:27 EST

-----Forwarded Message-----

From: Frank Knobbe <fknobbe@knobbeits.com> To: seanh@securityfocus.com
Subject: Snort Signature for WedDAV
Date: 20 Mar 2003 18:12:50 -0600

Sean,

if you guys base your Snort signature on ideas we've been bouncing around on snort-sigs, I would appreciate if you feed some results back into that group. After all, this is not a single vendor dog'n'pony show, this is a collective effort by security folks to help the community at large.

Thanks,
Frank

Forwarded message ---------- Date: Wed, 19 Mar 2003 21:57:58 -0700 (MST) From: Sean Hittel <seanh@securityfocus.com> To: aris-users@securityfocus.com Subject: Microsoft Windows 2000 WebDAV buffer overflow vulnerability signature available

Hello,

The Symantec DeepSight Threat Analyst Team has created a Snort signature for the Microsoft Windows 2000 WebDAV Buffer Overflow Vulnerability (http://www.securityfocus.com/bid/7116).

The following Snort signatures are known by the Threat Analyst Team to detect certain attack vectors of the Microsoft Windows 2000 WebDAV Buffer
Overflow Vulnerability:

Do you need help?

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS view source via translate header"; flow:to_server,established; content: "Translate|3a| F"; nocase; reference:arachnids,305; reference:bugtraq,1578; classtype:web-application-activity; sid:1042; rev:6;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC webdav search access"; flow:to_server,established; content: "SEARCH "; depth: 8; nocase;reference:arachnids,474; classtype:web-application-activity; sid:1070; rev:5;)

However, neither of the above signatures will detect the nature of the vulnerability.

It has been discovered that this vulnerability can be exploited without the use of the "Translate: f" HTTP header. While the Threat Analyst Team is not aware of any exploits in the wild that target this vulnerability without using the "Translate: f" verb, the Nessus vulnerability testing engine is known to contain a proof of concept exploit for this vulnerability that does not utilize the "Translate: f" verb.

The second signature above will trigger on the Nessus proof of concept exploit found in iis_webdav_overflow.nasl. However, the Threat Analyst Team is aware of methodologies of exploiting this vulnerability which will
not trigger either of the above signatures.

As a result, the Threat Analyst Team has created the following signature,
which will detect all known variations of exploits for this vulnerability.

alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"Miscellaneous long HTTP
WebDAV request"; content:" /"; content:!"|0a|"; within:30000; flow:to_server; reference:Bugtraq,7116; rev: 2; )

Although it was originally thought that the buffer required for exploitation was 64Kb, further analysis leads the Threat Analysis Team to
believe that the buffer required for exploitation may be 32kB in size, rather than the 64kB used by the Nessus proof of concept exploit. This is
presently being researched further.

Do you need more help?

In spite of preliminary binary analysis of NTDLL.DLL leading us to believe
the buffer is 32kB in size, the Threat Analyst Team has not been able to crash IIS using a 32kB buffer with any high degree of reliability. Since a
HTTP request of the format "/<more than 30000 characters>|0a|" is anomalous on most networks, the signature has been modified to include this possibility.

The DeepSight Threat Analyst Team is not aware of any situations in which
our Snort signature would produce any false negatives.

This rule may cause false positives in some environments, especially those
that employ non HTTP-based protocols over TCP port 80. The rule has been designed to detect a long HTTP request URI by keying on the first instance
of the "/" character in the HTTP request, and ensuring that a newline is not present within a certain threshold of characters. If this signature produces excessive false positives, the signature can be modified to look
for a 60000 byte buffer as follows:

alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"Miscellaneous long HTTP
WebDAV request"; content:" /"; content:!"|0a|"; within:60000; flow:to_server; reference:Bugtraq,7116; rev: 2; )

Sean Hittel
Symantec DeepSight Threat Analyst
http://analyzer.securityfocus.com/

This SF.net email is sponsored by: Tablet PC. Does your code think in ink? You could win a Tablet PC. Get a free Tablet PC hat just for playing. What are you waiting for? http://ads.sourceforge.net/cgi-bin/redirect.pl?micr5043en

Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

application/pgp-signature attachment: This is a digitally signed message part

Received on Thu Mar 20 19:38:52 2003

This message: [ Message body ]
Next message: Frank Knobbe: "Re: [Snort-sigs] [Fwd: Snort Signature for WedDAV]"
Previous message: Jeff Oliveto: "[Snort-sigs] portscan2-ignoreports...anyone get it to work???"
Next in thread: Frank Knobbe: "Re: [Snort-sigs] [Fwd: Snort Signature for WedDAV]"
Reply: Frank Knobbe: "Re: [Snort-sigs] [Fwd: Snort Signature for WedDAV]"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:08:26 EDT