[Emerging-Sigs] Signature for Microsoft Internet Explorer MSHTML Findtext Processing Issue

Matthew Jonkman jonkman at emergingthreatspro.com
Fri Oct 29 06:13:39 EDT 2010


I don't think it's worth going for this exact exploit. It'll be changed. :)

Matt


On Oct 28, 2010, at 10:31 PM, dave richards wrote:

> Sorry, a Typo error
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB-ATTACKS Microsoft Internet Explorer MSHTML Findtext Remote Code Execution Attempt"; flow:to_client,established; content:"type="; nocase; distance:0; content:"id=\"Abysssec\""; nocase; distance:0; content:"textRange."; nocase; distance:0; content:"findText("; nocase; distance:0; classtype:attempted-user; reference:cve,CVE-2010-2553; reference:url,exploit-db.com/exploits/15122; reference:url,exploit-db.com/moaub-27-microsoft-internet-explorer-mshtml-findtext-processing-issue; sid:20111020; rev:1;)
> 
> Regards,
> 
> Dave
> 
> 
> 
>  
> On Fri, Oct 29, 2010 at 7:59 AM, dave richards <dave.richards0319 at gmail.com> wrote:
> Hi Matt,
>  
> I feel the signature is on par with the description  probably missed adding content:"\"id=Abyssec\""; as Will said I am going to modify like this
>  
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB-ATTACKS Microsoft Internet Explorer MSHTML Findtext Remote Code Execution Attempt"; flow:to_client,established; content:"type="; nocase; distance:0; nocase; content:"id=\"Abysssec\""; nocase; distance:0; content:"textRange."; nocase; distance:0; content:"findText("; nocase; distance:0; classtype:attempted-user; reference:cve,CVE-2010-2553; reference:url,exploit-db.com/exploits/15122; reference:url,exploit-db.com/moaub-27-microsoft-internet-explorer-mshtml-findtext-processing-issue; sid:20111020; rev:1;)
> 
> But i am not sure on "content:"id=\"Abysssec\""; " thing
> 
> Looking forward for your thoughts,
> 
> Regards,
> 
> Dave
> 
> 
> 
> On Fri, Oct 29, 2010 at 1:32 AM, Will Metcalf <william.metcalf at gmail.com> wrote:
> but you are just matching on the var name assigned in the javascript
> for example... This should work just as well I think.
> 
> var textinput  = document.getElementById("abysssec");
> 
> var ETIsAwesome = textinput.createTextRange();
> ETIsAwesome.findText(unescape("%u41"),1);
> ETIsAwesome.select(document.getElementById('d'));
> document.body.appendChild(textinput);
> 
> If you are just trying to match this particular exploit why not just
> content:"input id=\"Abysssec\"";
> 
> Regards,
> 
> Will
> 
> On Thu, Oct 28, 2010 at 9:45 AM, dave richards
> <dave.richards0319 at gmail.com> wrote:
> > Yes, That i have noticed that, but for a better precision, I have place the
> > '.' after textRange. I feel it is not of big concern.What do u say?
> >
> > Regards,
> > Dave
> >
> > On Thu, Oct 28, 2010 at 6:50 PM, Will Metcalf <william.metcalf at gmail.com>
> > wrote:
> >>
> >> Yes but your match is for the following.... Notice the ".";
> >>
> >> "textRange."
> >>
> >> Regards,
> >>
> >> Will
> >>
> >> On Thu, Oct 28, 2010 at 8:18 AM, dave richards
> >> <dave.richards0319 at gmail.com> wrote:
> >> > Hi Will,
> >> >
> >> > "Mshtml.dll is one of the module that is used in processing html tags
> >> > which
> >> > exist in sysyem32 directory. Vulnerability exists in Findtext function
> >> > related to TextRange object.
> >> >
> >> > TextRange object show a text in html element. This object has some
> >> > functions, one of them is FindText. This function searches a string in
> >> > an
> >> > exact range in the document and if the intended string is found returns
> >> > true."
> >> >
> >> > This is the description pertaining to MSHTML.
> >> >
> >> > Still have any comments let me know
> >> >
> >> > On Thu, Oct 28, 2010 at 6:25 PM, Will Metcalf
> >> > <william.metcalf at gmail.com>
> >> > wrote:
> >> >>
> >> >> content:"textRange.";
> >> >>
> >> >> I think this is specific to the exploit and not to the vuln. this will
> >> >> match on...
> >> >>
> >> >> textRange.findText(unescape("%u4141"),-1);
> >> >> textRange.select(document.getElementById('d'));
> >> >>
> >> >> which is simply a var as defined by...
> >> >>
> >> >> var textRange = textinput.createTextRange();
> >> >>
> >> >> so why not content:"createTextRange"; instead.
> >> >>
> >> >> I'm still not to sure how I feel about this rule as unless I
> >> >> misunderstand it will fire on valid uses as well.
> >> >>
> >> >> Regards,
> >> >>
> >> >> Will
> >> >>
> >> >> On Wed, Oct 27, 2010 at 11:56 PM, dave richards
> >> >> <dave.richards0319 at gmail.com> wrote:
> >> >> > Hi Matt,
> >> >> >
> >> >> > Please find the signature for Microsoft Internet Explorer MSHTML
> >> >> > Findtext
> >> >> > Processing Issue
> >> >> >
> >> >> > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET
> >> >> > WEB-ATTACKS
> >> >> > Microsoft Internet Explorer MSHTML FindText Processing Issue";
> >> >> > flow:to_client,established; content:"type="; nocase; distance:0;
> >> >> > content:"textRange."; nocase; distance:0; content:"findText(";
> >> >> > nocase;
> >> >> > distance:0; classtype:attempted-user; reference:cve,CVE-2010-2553;
> >> >> > reference:url,exploit-db.com/exploits/15122;
> >> >> >
> >> >> >
> >> >> > reference:url,exploit-db.com/moaub-27-microsoft-internet-explorer-mshtml-findtext-processing-issue;
> >> >> > sid:20101020; rev:1;)
> >> >> >
> >> >> >
> >> >> > Looking forward for your comments if any
> >> >> > --
> >> >> > Regards,
> >> >> > Dave
> >> >> >
> >> >> >
> >> >> >
> >> >> > _______________________________________________
> >> >> > Emerging-sigs mailing list
> >> >> > Emerging-sigs at emergingthreats.net
> >> >> > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> >> >> >
> >> >> > Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and
> >> >> > Lanyards
> >> >> >
> >> >> >
> >> >> > http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html
> >> >> >
> >> >
> >> >
> >> >
> >> > --
> >> > Regards,
> >> > Dave
> >> >
> >> >
> >
> >
> >
> > --
> > Regards,
> > Dave
> >
> >
> 
> 
> 
> -- 
> Regards,
> Dave
> 
> 
> 
> 
> -- 
> Regards,
> Dave
> 


----------------------------------------------------
Matthew Jonkman
Emergingthreats.net
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 765-807-8630
Fax 312-264-0205
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20101029/c0340c69/attachment-0001.html


More information about the Emerging-sigs mailing list