Re: False positive in 2650.2 (ORACLE user name buffer overflow attempt)

On Oct 22, 2004, at 2:20 PM, nnposter wrote:
> By no means I would see myself as an expert on SQL*Net but I have
> a suspicion that 2650 has a false positive because it looks for user
> name header "(user=" and then for a non-presence of a double quote.
> My speculation is that it should be perhaps looking for a non-presence
> of a closing parenthesis.

Yeah, send me this the pcap please.  I wrote a *very* small subset 
SQL*Net implementation a long time ago.  Most of my knowledge of 
SQL*Net is from the research I did building that implementation.  I 
could have got this bit wrong.  Since I don't have a production oracle 
environment, some of these might get false positives.

Much of the work we've done with the oracle rules has been done by Judy 
Novak & Alex Kirk (both of Sourcefire), doing the function by function 
validation of overflows & finding the breaking point for each function. 
 I just figured out a good way to thunk all of the attack vectors for 
each broken function into one rule and wrote the code that turns their 
output into rules.  We have a few hundred rules that were built this 
way.   In fact, all but a handful of the oracle rules.

If you have any issues with any of the oracle overflows, please let me 
know so I can correct the issue asap, since the same issue probably 
affects the couple hundred rules as well.

Thanks,
Brian



-------------------------------------------------------
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl