|
|
Re: Rule Submit: NCTAudioFile2 ActiveX SetFormatLikeSample() Buffer Overflo: msg#00149security.ids.snort.bleedingsnort
You're on a roll today Blake! Thanks I'll post this now. Matt Blake Hartstein wrote: > This rule detects an attempt to send more than 500 bytes to the > SetFormatLikeSample() function of the NCTAudioFile2 ActiveX control. > > This ActiveX control is used by: > Cool Audio , Altdo Software , NextLevel Systems , MP3 WAV Converter , > McFunSoft , RecordNRip , Easy Ringtone Maker , Absolute Software , Xrlly > Software , DanDans Digital Media , Power Audio Editor , Mystik Media , > Cheetah CD/DVD Burner , Virtual CD , Joshua Software , Audio Edit Magic > , Roemer Software , MP3 Normalizer , Sienzo Digital Music Mentor , > SoftDiv Software , Movavi , Code-it Software , CDBurnerXP Pro , R.M. de > Boer Software , Quikscribe , iMesh , EXPStudio Audio Editor , J. Hepple > , DB Audio Mixer And Editor , Aurora Media Workshop , and Magic Video > > If you happen to use any of those, you should disable this ActiveX using > the killbit. > > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE > WEB-CLIENT NCTAudioFile2 ActiveX SetFormatLikeSample() Buffer Overflow"; > flow:established,from_server; flowbits:isset,CLSID_DETECTED; > content:"77829F14-D911-40FF-A2F0-D11DB8D6D0BC"; > content:"SetFormatLikeSample("; isdataat:500,relative; content:!")"; > distance:0; within:500; classtype:web-application-attack; > reference:cve,2007-0018; reference:url,secunia.com/advisories/23475/; > sid:2003080; rev:1;) > > Note: this rule uses the CLSID_DETECTED flowbit from sid:2002174 to > guarantee the CLSID is of the correct form, that flowbits check may be > omitted if so desired. > > -Blake > > _______________________________________________ > Bleeding-sigs mailing list > Bleeding-sigs-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx > http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs -- -------------------------------------------- Matthew Jonkman Bleeding Edge Threats 765-429-0398 765-807-3060 fax http://www.bleedingthreats.net -------------------------------------------- PGP: http://www.bleedingthreats.com/mattjonkman.asc |
|
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| Previous by Date: | Rule Submit: NCTAudioFile2 ActiveX SetFormatLikeSample() Buffer Overflow: 00149, Blake Hartstein |
|---|---|
| Next by Date: | Snort_inline 2.6.1.2 BETA 1 released!: 00149, Matt Jonkman |
| Previous by Thread: | Rule Submit: NCTAudioFile2 ActiveX SetFormatLikeSample() Buffer Overflowi: 00149, Blake Hartstein |
| Next by Thread: | Snort_inline 2.6.1.2 BETA 1 released!: 00149, Matt Jonkman |
| Indexes: | [Date] [Thread] [Top] [All Lists] |
| News | FAQ | advertise |