[Emerging-Sigs] Multiple Sigs

Daniel Clemens dclemens at emergingthreatspro.com
Wed Oct 13 16:56:47 EDT 2010


On Oct 13, 2010, at 2:52 PM, Kevin Ross wrote:
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Embedded Executable File in PDF, This Program Cannot Be Run in DOS Mode"; flow:established,to_client; content:"PDF-"; nocase; depth:300; content:"This program cannot be run in DOS mode"; nocase; distance:0; classtype:bad-unknown; sid:19340002; rev:1;)
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Microsoft Office mshtmled.dll HtmlDlgHelper Class Memory Corruption Attempt"; flow:established,to_client; content:"clsid"; nocase; content:"3050F4E1-98B5-11CF-BB82-00AA00BDCE0B"; nocase; distance:0; content:"CHtmlDlgHelper"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*3050F4E1-98B5-11CF-BB82-00AA00BDCE0B/si"; classtype:attempted-user; reference:url,www.coresecurity.com/content/MS-Office-HtmlDlgHelper-memory-corruption; reference:cve,2010-3329; sid:19340003; rev:1;) 

The vulnerability relies on an office document .doc or .xls being loaded and this ActiveX method is called within Excel or Word or office being tricked into loading html where this html/activex method is being used. 

> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Suspicious Embedded Shockwave Flash In PDF"; flow:established,to_client; content:"PDF-"; depth:300; nocase; content:"x-shockwave-flash"; nocase; distance:0; pcre:"/(a|#61)(p|#70)(p|#70)(l|#6C)(i|#69)(c|#63)(a|#61)(t|#74)(i|#69)(o|#6F)(n|#6E)(\x2F|#2F)x-shockwave-flash/i"; classtype:bad-unknown; sid:19340004; rev:1;) 

Can you provide more references for this? I'm curious about this. 

> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Trend Micro Internet Security Pro 2010 ActiveX extSetOwner Remote Code Execution Attempt"; flow:established,to_client; content:"clsid"; nocase; content:"15DBC3F9-9F0A-472E-8061-043D9CEC52F0"; nocase; distance:0; content:"extSetOwner"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*15DBC3F9-9F0A-472E-8061-043D9CEC52F0/si"; classtype:attempted-user; reference:url,www.exploit-db.com/trend-micro-internet-security-pro-2010-activex-extsetowner-remote-code-execution/; sid:19340005; rev:1;) 

I've really been thinking that even though writing ActiveX rules is a necessary evil , (some people want it), exploits will likely always evade most if not all ActiveX rules. What do you think? 
Can we start a list discussion on this as a whole?

| Daniel Uriah Clemens
| EmergingThreats Pro || c. 205.567.6850    
"Moments of sorrow are moments of sobriety"

More information about the Emerging-sigs mailing list