[Emerging-updates] Daily Ruleset Update Summary 12/29/2012 (The IE 0-day Weekend Edition)

Will Metcalf wmetcalf at emergingthreatspro.com
Sat Dec 29 18:14:20 HAST 2012


We will probably release some Pro rules later, but I wanted to get these
into open today.

 [+++]          Added rules:          [+++]

  2016132 - ET CURRENT_EVENTS Escaped Unicode Char in Window Location
CVE-2012-4792 EIP (current_events.rules)
  2016133 - ET CURRENT_EVENTS Escaped Unicode Char in Location
CVE-2012-4792 EIP (Exploit Specific replace) (current_events.rules)
  2016134 - ET CURRENT_EVENTS Escaped Unicode Char in Location
CVE-2012-4792 EIP % Hex Encode (current_events.rules)
  2016135 - ET CURRENT_EVENTS CFR DRIVEBY CVE-2012-4792 DNS Query for C2
domain (current_events.rules)

Additionally if you are running Suricata-1.4 with LuaJIT.

1. Chris Wakelins XOR Detection script
https://github.com/EmergingThreats/et-luajit-scripts/blob/master/suri-xor-binary-detect.luawould
have caught the Payload in the CFR Drive-by.
2. If you are running the lua script to detect CVE-2012-1535 (
https://github.com/EmergingThreats/et-luajit-scripts/blob/master/CVE-2012-1535.lua)<https://github.com/EmergingThreats/et-luajit-scripts/blob/master/CVE-2012-1535.lua>you
can apply the following patch to perform simple string detection for
the Flash heap spray function name.

--- CVE-2012-1535.lua.old    2012-12-29 21:43:27.205605783 -0600
+++ CVE-2012-1535.lua    2012-12-29 14:16:48.826935797 -0600
@@ -78,9 +78,9 @@
     if sig  == "CWS" then
         stream = lz.inflate()
         t, eof, bytes_in, uncompressed_len = stream(string.sub(t,9))
-        if string.find(t,"kern",9,true) == nil then
-            return 0
-        end
+        --if string.find(t,"kern",9,true) == nil then
+        --    return 0
+        --end
     elseif sig ~= "FWS" then
         print("Not a SWF file bailing" .. sig)
         return 0
@@ -121,6 +121,14 @@
             offset = offset + 4
         end

+        if tagtype == 82 then
+            DoABC = string.sub(t,offset, offset + shortlen)
+            if string.find(DoABC,"HeapSpary",0,true) ~= nil then
+                print("IE 0-day Flash HeapSpray 12-29-12")
+                return 1
+            end
+        end
+
         if tagtype == 91 then
             ttfoffset = offset + 3
             -- Find the end of the font name
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-updates/attachments/20121229/c795fd29/attachment.html>


More information about the Emerging-updates mailing list