Rule Submit: NCTAudioFile2 ActiveX SetFormatLikeSample() Buffer Overflow

This rule detects an attempt to send more than 500 bytes to the 
SetFormatLikeSample() function of the NCTAudioFile2 ActiveX control.

This ActiveX control is used by:
Cool Audio , Altdo Software , NextLevel Systems , MP3 WAV Converter , 
McFunSoft , RecordNRip , Easy Ringtone Maker , Absolute Software , Xrlly 
Software , DanDans Digital Media , Power Audio Editor , Mystik Media , 
Cheetah CD/DVD Burner , Virtual CD , Joshua Software , Audio Edit Magic 
, Roemer Software , MP3 Normalizer , Sienzo Digital Music Mentor , 
SoftDiv Software , Movavi , Code-it Software , CDBurnerXP Pro , R.M. de 
Boer Software , Quikscribe , iMesh , EXPStudio Audio Editor , J. Hepple 
, DB Audio Mixer And Editor , Aurora Media Workshop , and Magic Video

If you happen to use any of those, you should disable this ActiveX using 
the killbit.

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE 
WEB-CLIENT NCTAudioFile2 ActiveX SetFormatLikeSample() Buffer Overflow"; 
flow:established,from_server; flowbits:isset,CLSID_DETECTED; 
content:"77829F14-D911-40FF-A2F0-D11DB8D6D0BC"; 
content:"SetFormatLikeSample("; isdataat:500,relative; content:!")"; 
distance:0; within:500; classtype:web-application-attack; 
reference:cve,2007-0018; reference:url,secunia.com/advisories/23475/; 
sid:2003080; rev:1;)

Note: this rule uses the CLSID_DETECTED flowbit from sid:2002174 to 
guarantee the CLSID is of the correct form, that flowbits check may be 
omitted if so desired.

-Blake

--
This email and any files transmitted with it are solely intended for the use of 
the addressee(s) and may contain information that is confidential and 
privileged.  If you receive this email in error, please advise us by return 
email immediately. Please also disregard the contents of the email, delete it 
and destroy any copies immediately.  Demarc Security, Inc. does not accept 
liability for the views expressed in the email or for the consequences of any 
computer viruses that may be transmitted with this email.

This email is also subject to copyright. No part of it should be reproduced, 
adapted or transmitted without the written consent of the copyright owner.

bhartstein.vcf
Description: Vcard

_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigs-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx
http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs