[Emerging-Sigs] Signature for Microsoft Internet Explorer MSHTML Findtext Processing Issue

dave richards dave.richards0319 at gmail.com
Thu Oct 28 10:45:20 EDT 2010


Yes, That i have noticed that, but for a better precision, I have place the
'.' after textRange. I feel it is not of big concern.What do u say?

Regards,
Dave


On Thu, Oct 28, 2010 at 6:50 PM, Will Metcalf <william.metcalf at gmail.com>wrote:

> Yes but your match is for the following.... Notice the ".";
>
> "textRange."
>
> Regards,
>
> Will
>
> On Thu, Oct 28, 2010 at 8:18 AM, dave richards
>  <dave.richards0319 at gmail.com> wrote:
> > Hi Will,
> >
> > "Mshtml.dll is one of the module that is used in processing html tags
> which
> > exist in sysyem32 directory. Vulnerability exists in Findtext function
> > related to TextRange object.
> >
> > TextRange object show a text in html element. This object has some
> > functions, one of them is FindText. This function searches a string in an
> > exact range in the document and if the intended string is found returns
> > true."
> >
> > This is the description pertaining to MSHTML.
> >
> > Still have any comments let me know
> >
> > On Thu, Oct 28, 2010 at 6:25 PM, Will Metcalf <william.metcalf at gmail.com
> >
> > wrote:
> >>
> >> content:"textRange.";
> >>
> >> I think this is specific to the exploit and not to the vuln. this will
> >> match on...
> >>
> >> textRange.findText(unescape("%u4141"),-1);
> >> textRange.select(document.getElementById('d'));
> >>
> >> which is simply a var as defined by...
> >>
> >> var textRange = textinput.createTextRange();
> >>
> >> so why not content:"createTextRange"; instead.
> >>
> >> I'm still not to sure how I feel about this rule as unless I
> >> misunderstand it will fire on valid uses as well.
> >>
> >> Regards,
> >>
> >> Will
> >>
> >> On Wed, Oct 27, 2010 at 11:56 PM, dave richards
> >> <dave.richards0319 at gmail.com> wrote:
> >> > Hi Matt,
> >> >
> >> > Please find the signature for Microsoft Internet Explorer MSHTML
> >> > Findtext
> >> > Processing Issue
> >> >
> >> > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET
> >> > WEB-ATTACKS
> >> > Microsoft Internet Explorer MSHTML FindText Processing Issue";
> >> > flow:to_client,established; content:"type="; nocase; distance:0;
> >> > content:"textRange."; nocase; distance:0; content:"findText("; nocase;
> >> > distance:0; classtype:attempted-user; reference:cve,CVE-2010-2553;
> >> > reference:url,exploit-db.com/exploits/15122;
> >> >
> >> > reference:url,
> exploit-db.com/moaub-27-microsoft-internet-explorer-mshtml-findtext-processing-issue
> ;
> >> > sid:20101020; rev:1;)
> >> >
> >> >
> >> > Looking forward for your comments if any
> >> > --
> >> > Regards,
> >> > Dave
> >> >
> >> >
> >> >
> >> > _______________________________________________
> >> > Emerging-sigs mailing list
> >> > Emerging-sigs at emergingthreats.net
> >> > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> >> >
> >> > Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and
> >> > Lanyards
> >> >
> >> >
> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html
> >> >
> >
> >
> >
> > --
> > Regards,
> > Dave
> >
> >
>



-- 
Regards,
Dave
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20101028/5a81f84c/attachment-0001.html


More information about the Emerging-sigs mailing list