Rule Submit: Apple Quicktime RTSP Overflow

This is an attempt to detect when an overly large rtsp URI is sent to 
quicktime. In the given example, this was seen in a .qtl file

<?xml version="1.0"?><?quicktime type="application/x-quicktime-media-link"?><embed autoplay="true" moviename="somemoviename..{more}" 
 qtnext="2007" type="video/quicktime" src="rtsp://...{lots more}:...{even more}" />

The "...{lots more}:...{even more}" section triggers the buffer overflow and in 
this example was approximately 30,300 bytes long.


The first rule looks for 'rtsp:// and the second looks for "rtsp://, 
using the starting characters as terminating characters as well as a 
newline.
This particular example requires you to use a large flow_depth (see 
http_inspect) in order to detect the issue, because the specified 
moviename was very large also.

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE 
WEB-CLIENT Apple Quicktime RTSP Overflow (1)"; 
flow:established,from_server; content:"|22|rtsp|3a|//"; content:!"|0a|"; 
distance:0; within:400; content:!"|22|"; distance:0; within:400; 
reference:cve,2007-0015; classtype:attempted-admin; sid:2003???; rev:1; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE 
WEB-CLIENT Apple Quicktime RTSP Overflow (2)"; 
flow:established,from_server; content:"|27|rtsp|3a|//"; content:!"|0a|"; 
distance:0; within:400; content:!"|27|"; distance:0; within:400; 
reference:cve,2007-0015; classtype:attempted-admin; sid:2003???; rev:1; )

-Blake

--
This email and any files transmitted with it are solely intended for the use of 
the addressee(s) and may contain information that is confidential and 
privileged.  If you receive this email in error, please advise us by return 
email immediately. Please also disregard the contents of the email, delete it 
and destroy any copies immediately.  Demarc Security, Inc. does not accept 
liability for the views expressed in the email or for the consequences of any 
computer viruses that may be transmitted with this email.

This email is also subject to copyright. No part of it should be reproduced, 
adapted or transmitted without the written consent of the copyright owner.

bhartstein.vcf
Description: Vcard

_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigs-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx
http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs