Rule release for today - September 15, 2009
Mostly a maintenance release, we added multiple rules in the specific-threats, dns, web-client, dos, ftp and misc categories. Details here.
Vulnerability Report September 2009
This month's report covers three of the Microsoft Tuesday advisories, a remote code execution vulnerability in SMBv2, a vulnerability in the IIS FTP module and information on Dojocon
SMBv2 <air quotes> DoS </air quotes>
Here's the dirty dirty dirt dirt. (All addresses SP2) If you send an SMBv2 packet off to Vista SP1 or SP2 that specifies the NEGOTIATE command, and the ProcessIDHigh word is not set to 0x0000, you do not in fact get a DoS. What happens, is this: (Note that we control eax, a
Rule release for today - September 9, 2009
A quick release for an update to SID 15930 to address the possibility of remote code execution for the Microsoft Windows SMBv2 processing vulnerability. Information is available on snort.org here
Microsoft Tuesday Coverage for September 2009
Microsoft Security Advisory (MS09-045): The Microsoft JScript scripting engine contains a programming error that may allow a remote attacker to execute code on an affected host. Microsoft Security Advisory (MS09-046): The Microsoft DHTML Editing Component ActiveX control contain
Microsoft IIS FTP Vulnerability - bad detection
Yesterday, we wrote about the Microsoft IIS FTP stack overflow. (here) Since then, we've seen some folks try to come up with detection for attacks targeting this vulnerability. Here's some things to think about when detecting this attack: 1. We saw some rules that d
Rule release for today - September 1, 2009
Microsoft IIS FTP Buffer Overflow: The Microsoft FTP module for Internet Information Services (IIS) contains a programming error that may allow a remote attacker to execute code on an affected system. The problem occurs in the processing of specially crafted directory names which
Microsoft IIS FTP Vulnerability
We saw some exploit code posted to milw0rm yesterday that relates to a vulnerability in the Microsoft IIS FTP module. Basically, it exploits a vulnerability where the server doesn't correctly parse directory names. The attacks makes use of the FTP NLST command which will caus
Rule release for today - August 25 2009
A maintenance release this one, a few new rules and some performance enhancements. Also, make sure you are using the dcerpc2 preprocessor now since these rule releases no longer include any of the flowbit rules that used to be needed for some DCERPC related vulnerabilities. As a