[Emerging-Sigs] Signature for Microsoft Internet Explorer MSHTML Findtext Processing Issue

Will Metcalf william.metcalf at gmail.com
Thu Oct 28 08:55:56 EDT 2010


content:"textRange.";

I think this is specific to the exploit and not to the vuln. this will
match on...

textRange.findText(unescape("%u4141"),-1);
textRange.select(document.getElementById('d'));

which is simply a var as defined by...

var textRange = textinput.createTextRange();

so why not content:"createTextRange"; instead.

I'm still not to sure how I feel about this rule as unless I
misunderstand it will fire on valid uses as well.

Regards,

Will

On Wed, Oct 27, 2010 at 11:56 PM, dave richards
<dave.richards0319 at gmail.com> wrote:
> Hi Matt,
>
> Please find the signature for Microsoft Internet Explorer MSHTML Findtext
> Processing Issue
>
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB-ATTACKS
> Microsoft Internet Explorer MSHTML FindText Processing Issue";
> flow:to_client,established; content:"type="; nocase; distance:0;
> content:"textRange."; nocase; distance:0; content:"findText("; nocase;
> distance:0; classtype:attempted-user; reference:cve,CVE-2010-2553;
> reference:url,exploit-db.com/exploits/15122;
> reference:url,exploit-db.com/moaub-27-microsoft-internet-explorer-mshtml-findtext-processing-issue;
> sid:20101020; rev:1;)
>
>
> Looking forward for your comments if any
> --
> Regards,
> Dave
>
>
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and
> Lanyards
> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html
>


More information about the Emerging-sigs mailing list