From: Alfred Huger (ah@securityfocus.com)
Date: Thu Mar 20 2003 - 14:32:33 EST
In regards to the WebDav thread.
---------- Forwarded message ----------
Date: Wed, 19 Mar 2003 21:57:58 -0700 (MST)
From: Sean Hittel <seanh@securityfocus.com>
To: aris-users@securityfocus.com
Subject: Microsoft Windows 2000 WebDAV buffer overflow vulnerability
signature available
Hello,
The Symantec DeepSight Threat Analyst Team has created a Snort signature
for the Microsoft Windows 2000 WebDAV Buffer Overflow Vulnerability
(http://www.securityfocus.com/bid/7116).
The following Snort signatures are known by the Threat Analyst Team to
detect certain attack vectors of the Microsoft Windows 2000 WebDAV Buffer
Overflow Vulnerability:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS
view source via translate header"; flow:to_server,established; content:
"Translate|3a| F"; nocase; reference:arachnids,305;
reference:bugtraq,1578; classtype:web-application-activity; sid:1042;
rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC
webdav search access"; flow:to_server,established; content: "SEARCH ";
depth: 8; nocase;reference:arachnids,474;
classtype:web-application-activity; sid:1070; rev:5;)
However, neither of the above signatures will detect the nature of the
vulnerability.
It has been discovered that this vulnerability can be exploited without
the use of the "Translate: f" HTTP header. While the Threat Analyst Team
is not aware of any exploits in the wild that target this vulnerability
without using the "Translate: f" verb, the Nessus vulnerability testing
engine is known to contain a proof of concept exploit for this
vulnerability that does not utilize the "Translate: f" verb.
The second signature above will trigger on the Nessus proof of concept
exploit found in iis_webdav_overflow.nasl. However, the Threat Analyst
Team is aware of methodologies of exploiting this vulnerability which will
not trigger either of the above signatures.
As a result, the Threat Analyst Team has created the following signature,
which will detect all known variations of exploits for this vulnerability.
alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"Miscellaneous long HTTP
WebDAV request"; content:" /"; content:!"|0a|"; within:30000;
flow:to_server; reference:Bugtraq,7116; rev: 2; )
Although it was originally thought that the buffer required for
exploitation was 64Kb, further analysis leads the Threat Analysis Team to
believe that the buffer required for exploitation may be 32kB in size,
rather than the 64kB used by the Nessus proof of concept exploit. This is
presently being researched further.
In spite of preliminary binary analysis of NTDLL.DLL leading us to believe
the buffer is 32kB in size, the Threat Analyst Team has not been able to
crash IIS using a 32kB buffer with any high degree of reliability. Since a
HTTP request of the format "/<more than 30000 characters>|0a|" is
anomalous on most networks, the signature has been modified to include
this possibility.
The DeepSight Threat Analyst Team is not aware of any situations in which
our Snort signature would produce any false negatives.
This rule may cause false positives in some environments, especially those
that employ non HTTP-based protocols over TCP port 80. The rule has been
designed to detect a long HTTP request URI by keying on the first instance
of the "/" character in the HTTP request, and ensuring that a newline is
not present within a certain threshold of characters. If this signature
produces excessive false positives, the signature can be modified to look
for a 60000 byte buffer as follows:
alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"Miscellaneous long HTTP
WebDAV request"; content:" /"; content:!"|0a|"; within:60000;
flow:to_server; reference:Bugtraq,7116; rev: 2; )
Sean Hittel
Symantec DeepSight Threat Analyst
http://analyzer.securityfocus.com/
----------------------------------------------------------------------------
Did you know that you have VNC running on your network?
Your hacker does. Plug your security holes now!
Download a free 15-day trial of VAM:
http://www2.stillsecure.com/download/sf_vuln_list.html
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:31 EDT