|
|
|
Choosing A Webhost: |
Re: Rule Submit: NCTAudioFile2 ActiveX SetFormatLikeSample() Buffer Overflo: msg#00149security.ids.snort.bleedingsnort
You're on a roll today Blake! Thanks I'll post this now. Matt Blake Hartstein wrote: > This rule detects an attempt to send more than 500 bytes to the > SetFormatLikeSample() function of the NCTAudioFile2 ActiveX control. > > This ActiveX control is used by: > Cool Audio , Altdo Software , NextLevel Systems , MP3 WAV Converter , > McFunSoft , RecordNRip , Easy Ringtone Maker , Absolute Software , Xrlly > Software , DanDans Digital Media , Power Audio Editor , Mystik Media , > Cheetah CD/DVD Burner , Virtual CD , Joshua Software , Audio Edit Magic > , Roemer Software , MP3 Normalizer , Sienzo Digital Music Mentor , > SoftDiv Software , Movavi , Code-it Software , CDBurnerXP Pro , R.M. de > Boer Software , Quikscribe , iMesh , EXPStudio Audio Editor , J. Hepple > , DB Audio Mixer And Editor , Aurora Media Workshop , and Magic Video > > If you happen to use any of those, you should disable this ActiveX using > the killbit. > > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE > WEB-CLIENT NCTAudioFile2 ActiveX SetFormatLikeSample() Buffer Overflow"; > flow:established,from_server; flowbits:isset,CLSID_DETECTED; > content:"77829F14-D911-40FF-A2F0-D11DB8D6D0BC"; > content:"SetFormatLikeSample("; isdataat:500,relative; content:!")"; > distance:0; within:500; classtype:web-application-attack; > reference:cve,2007-0018; reference:url,secunia.com/advisories/23475/; > sid:2003080; rev:1;) > > Note: this rule uses the CLSID_DETECTED flowbit from sid:2002174 to > guarantee the CLSID is of the correct form, that flowbits check may be > omitted if so desired. > > -Blake > > _______________________________________________ > Bleeding-sigs mailing list > Bleeding-sigs-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx > http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs -- -------------------------------------------- Matthew Jonkman Bleeding Edge Threats 765-429-0398 765-807-3060 fax http://www.bleedingthreats.net -------------------------------------------- PGP: http://www.bleedingthreats.com/mattjonkman.asc
|
|
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| Previous by Date: | Rule Submit: NCTAudioFile2 ActiveX SetFormatLikeSample() Buffer Overflow, Blake Hartstein |
|---|---|
| Next by Date: | Snort_inline 2.6.1.2 BETA 1 released!, Matt Jonkman |
| Previous by Thread: | Rule Submit: NCTAudioFile2 ActiveX SetFormatLikeSample() Buffer Overflow, Blake Hartstein |
| Next by Thread: | Snort_inline 2.6.1.2 BETA 1 released!, Matt Jonkman |
| Indexes: | [Date] [Thread] [Top] [All Lists] |
Free MagazinesCisco NewsReceive a free quarterly e-newsletter with exclusive articles on how Cisco IT uses its own products and solutions to enable the business. subscribe Systems Management News, the newspaper for IT systems administration and data center managers! Each issue of Systems Management News is chock-full of news and analysis to help you understand what's happening in your field. subscribe The Enterprise Newsweekly eWeek is the essential technology information source for builders of e-business. subscribe Oracle Magazine Oracle Magazine contains technology strategy articles, sample code, tips, Oracle and partner news, how to articles for developers and DBAs, and more. Oracle (NASDAQ: ORCL) is the world's largest enterprise software company. subscribe Total Telecom Total Telecom is "The Economist of the communications industry". subscribe |
