[Emerging-Sigs] Sig for MS Office Snapshot
chandan
schandan at secpod.com
Mon Jul 14 09:00:23 EDT 2008
Signature for Microsoft Office Snapshot Viewer ActiveX control.
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"Snapshot
Viewer for Microsoft Access ActiveX Control Arbitrary File Download";
flow:to_client,established; content:"clsid"; nocase;
pcre:"/(F0E42D50-368C-11D0-AD81-00A0C90DC8D9|F0E42D60-368C-11D0-AD81-00A0C90DC8D9|F2175210-368C-11D0-AD81-00A0C90DC8D9)/i";
pcre:"/(SnapshotPath|CompressedPath|PrintSnapshot)/i";
pcre:"/(exe|bat|com|dll|ini)/i"; reference:bugtraq,30114;
reference:url,downloads.securityfocus.com/vulnerabilities/exploits/30114.html;
reference:url,pstgroup.blogspot.com/2008/07/exploitmicrosoft-office-snapshot-viewer.html;
classtype:web-application-attack; sid:9003; rev:1;)
Regards,
Chandan
More information about the Emerging-sigs
mailing list