|
|
|
Choosing A Webhost: |
Rule Submit: NCTAudioFile2 ActiveX SetFormatLikeSample() Buffer Overflow: msg#00148security.ids.snort.bleedingsnort
This rule detects an attempt to send more than 500 bytes to the SetFormatLikeSample() function of the NCTAudioFile2 ActiveX control. This ActiveX control is used by: Cool Audio , Altdo Software , NextLevel Systems , MP3 WAV Converter , McFunSoft , RecordNRip , Easy Ringtone Maker , Absolute Software , Xrlly Software , DanDans Digital Media , Power Audio Editor , Mystik Media , Cheetah CD/DVD Burner , Virtual CD , Joshua Software , Audio Edit Magic , Roemer Software , MP3 Normalizer , Sienzo Digital Music Mentor , SoftDiv Software , Movavi , Code-it Software , CDBurnerXP Pro , R.M. de Boer Software , Quikscribe , iMesh , EXPStudio Audio Editor , J. Hepple , DB Audio Mixer And Editor , Aurora Media Workshop , and Magic Video If you happen to use any of those, you should disable this ActiveX using the killbit. alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE WEB-CLIENT NCTAudioFile2 ActiveX SetFormatLikeSample() Buffer Overflow"; flow:established,from_server; flowbits:isset,CLSID_DETECTED; content:"77829F14-D911-40FF-A2F0-D11DB8D6D0BC"; content:"SetFormatLikeSample("; isdataat:500,relative; content:!")"; distance:0; within:500; classtype:web-application-attack; reference:cve,2007-0018; reference:url,secunia.com/advisories/23475/; sid:2003080; rev:1;) Note: this rule uses the CLSID_DETECTED flowbit from sid:2002174 to guarantee the CLSID is of the correct form, that flowbits check may be omitted if so desired. -Blake -- This email and any files transmitted with it are solely intended for the use of the addressee(s) and may contain information that is confidential and privileged. If you receive this email in error, please advise us by return email immediately. Please also disregard the contents of the email, delete it and destroy any copies immediately. Demarc Security, Inc. does not accept liability for the views expressed in the email or for the consequences of any computer viruses that may be transmitted with this email. This email is also subject to copyright. No part of it should be reproduced, adapted or transmitted without the written consent of the copyright owner.
Bleeding-sigs mailing list Bleeding-sigs-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs
|
|
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| Previous by Date: | Rule Submit: Apple Quicktime RTSP Overflow, Blake Hartstein |
|---|---|
| Next by Date: | Re: Rule Submit: NCTAudioFile2 ActiveX SetFormatLikeSample() Buffer Overflow, Matt Jonkman |
| Previous by Thread: | Re: Rule Submit: Apple Quicktime RTSP Overflow, Blake Hartstein |
| Next by Thread: | Re: Rule Submit: NCTAudioFile2 ActiveX SetFormatLikeSample() Buffer Overflow, Matt Jonkman |
| Indexes: | [Date] [Thread] [Top] [All Lists] |
Free MagazinesCisco NewsReceive a free quarterly e-newsletter with exclusive articles on how Cisco IT uses its own products and solutions to enable the business. subscribe Systems Management News, the newspaper for IT systems administration and data center managers! Each issue of Systems Management News is chock-full of news and analysis to help you understand what's happening in your field. subscribe The Enterprise Newsweekly eWeek is the essential technology information source for builders of e-business. subscribe Oracle Magazine Oracle Magazine contains technology strategy articles, sample code, tips, Oracle and partner news, how to articles for developers and DBAs, and more. Oracle (NASDAQ: ORCL) is the world's largest enterprise software company. subscribe Total Telecom Total Telecom is "The Economist of the communications industry". subscribe |
