[prev in list] [next in list] [prev in thread] [next in thread] 

List:       dragonidsuser
Subject:    [Dragonidsuser] [+] NIDS Signature Update: Thu Oct 27 11:03:18 2005
From:       dragon-sigs () enterasys ! com
Date:       2005-10-27 15:01:30
Message-ID: NHROCCNC1FMVpHgLHVb00008898 () NHROCCNC1 ! ets ! enterasys ! com
[Download RAW message or body]

The following NIDS signature updates are available via liveupdate:

[+] Modified NIDS signatures:
CISCO:ERROR-WEB-DOS
DESCRIPTION :Many Cisco webservers that run on Cisco IOS are vulnerable to a Denial \
of Service attack in which a client will request the page "/error?/".  You are seeing \
this alert because Dragon intercepted a request like "GET /error?/" in http traffic.

GENERIC:WIN-DOWNLOAD
DESCRIPTION :This signature looks for a new form of shellcode which is generic for \
Windows XP (and possibly Windows 2000) hosts. This particular form will download and \
execute an arbitrary file from any location over the internet. While looking for \
shellcode specifically can be a poor way of detecting the exploitation of explicit \
vulnerabilities, if done correctly it can be a great way of generically finding new \
attacks. Especially in Windows exploits, shellcode is reused between different \
attacks for different vulnerabilities. With the major DCOM vulnerability, the \
usefulness of downloading and executing a backdoor from within the shellcode itself \
was proven on a large scale. When looking at these packets in the Dragon interfaces, \
you should see a web URL following the calling of a Windows .DLL file. This is \
immediately followed by a name the downloaded file should be saved as and where it \
will be saved to. Use this information to assist in responding to this system.

SMB:OVERFLOW-SAMBA-NOIR
DESCRIPTION :Samba 2.2.x and below is subject to a buffer overflow vulnerability that \
many exploits were made available for shortly after its public disclosure. This \
signature looks for one of those exploits specifically. The exploit is very easy to \
use and incorporates brute forcing capabilities, which furthers the attackers chance \
of success. Because of the brute forcing, you may see several hundred of these events \
from a single source, which should be a clear indication as to their intent. A \
successful attack will open a shell within the same session. If you do not see a \
GENERIC:SHELL-UNSET event with this one, the attack was probably not successful.

WEB:ORACLE-MISSING
DESCRIPTION :Several errors that can be thrown by the Oracle database when bad data \
is passed to it through a web application give out too much information. Bad data can \
be injected via malicious users of the web site, or a poorly configured/programmed \
web application. Problems arise if the website takes the errors thrown by the \
database and pushed them back to the user without sanitizing the information. For \
example, the following error was received while testing a web site: ORA-00921: \
unexpected end of SQL command in /home/ft/www/PHPLib/php/db_pullfrom.inc on line 85. \
The user could then browse to db_pullfrom.inc, which contained the clear text \
database login/password information. This alert indicates that a page was served to a \
user outside Dragons protected network settings (from the inside) with the type of \
error that can introduce additional risk.

WEB:OUTLOOK-DOS
DESCRIPTION :Outlook Web Access resource starvation Vulnerability. Attackers simply \
need to request a folder that is nested very deep in the flies stem structure. The \
folder does not need to exist. This signature is looking for the error message that \
is displayed when a user manually crafts a GET request for a folder that does not \
exist. If two users are using the same folder, and one of the users deletes the \
folder before the other tries to access it, this message could also be returned. This \
message may also indicate a broken link to a public folder.


The following ENSRT NIDS signature updates are available via liveupdate:

[+] Modified NIDS ENSRT signatures:
ENSRT:W32-BANISH-A-003
DESCRIPTION :This signature performs a string match on  a portion of the subject line \
of the mass mailing worm W32.Banish.A as it propagates over the SMTP protocol on TCP \
port 25.  For details on the deployment of this signature and event group go to: \
http://www.enterasys.com/support/security/incidents/2005/05/12565.html


The following BETA NIDS signature updates are available via liveupdate:

[+] Modified NIDS BETA signatures:
MS:WEBVIEW-EXPLORER
DESCRIPTION :This is the signature that detects the MS05-024 Vulnerability in Web \
View that could Allow Remote Code Execution. Remote exploitation of an input \
validation vulnerability in Microsoft Corp.'s Windows 2000 Explorer shell could allow \
attackers to execute arbitrary code. The preview pane in Windows Explorer is \
implemented via an HTML resource file (in webvw.dll), which examines the currently \
selected file, reads its metadata and displays useful information about it. Such \
information includes the file's size, attributes, modification date, author and more. \
This vulnerability can also be exploited by directing the user to an attacker \
controlled SMB share, the user will then need to select the file in order to activate \
the exploit.



[*] This is an auto-generated email.
_______________________________________________
Dragonidsuser mailing list

For help please follow the below instructions.
You can make subsciption adjustments via email by sending a message to:

  Dragonidsuser-request@enterasys.com

with the word `help' in the subject or body (don't include the quotes), and you will \
get back a message with instructions.

You must know your password to change your options (including changing the password, \
itself) or to unsubscribe.   If you forget your password, don't worry, you will \
receive a monthly reminder telling you what all your enterasys.com mailing list \
passwords are, and how to unsubscribe or change your options.  


[prev in list] [next in list] [prev in thread] [next in thread]