[prev in list] [next in list] [prev in thread] [next in thread] 

List:       dshield
Subject:    RE: [Dshield] GDI+ POC
From:       "Fitzgerald, William M. CTR (NASWI)" <William.M.Fitzgerald () navy ! mil>
Date:       2004-09-23 21:49:19
Message-ID: 7E00166666171A429BFD5CCF88C1617808A1C8 () nawebremez01 ! nadsuswe ! nads ! navy ! mil
[Download RAW message or body]

Handlers Diary September 23rd 2004
Updated September 23rd 2004 16:30 UTC (Handler: Michael Haisley, Tony Carothers) 
GDI Scanner Released
This is a preliminary diary, and will be updated throughout the day, as the situation \
warrants, due to the possibility of a rapidly emerging exploit, or worm, we are \
releasing this early. 

Over the last 24hrs, several exploits taking advantage of the JPEG GDI vulnerability \
(MS04-028) have been released. We expect a rapid developemnt of additional exploits \
over the next few days. 

Tom Liston has put together a scanner, which will scan your systems for vulnerable \
versions of the GDI libraries you can get it at http://isc.sans.org/gdiscan.php This \
program should have an MD5 checksum of (91ff45c6158e77eb57fbf6fbe38f05d1) 

Several non-microsoft programs include versions of GDI libraries which are vulnerable \
to exploitation. Using this tool you can identify programs which may be vulnerable, \
and attempt to obtain updates from the software developer. 

SNORT Rules: 

Judy Novak sent us these rules developed by the Snort Community. Snort Rules: 


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT
JPEG parser heap overflow attempt"; flow:from_server,established;
content:"image/jp"; nocase;
pcre:"/^Content-Type\s*\x3a\s*image\x2fjpe?g.*\xFF\xD8.{2}.*\xFF[\xE1\xE2\xED\xFE]\x00[\x00\x01]/smi";
 reference:bugtraq,11173; reference:cve,CAN-2004-0200;
reference:url,www.microsoft.com/security/bulletins/200409_jpeg.mspx;
classtype:attempted-admin; sid:2705; rev:2;)
 
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT
JPEG transfer"; flow:from_server,established; content:"image/jp";
nocase; pcre:"/^Content-Type\s*\x3a\s*image\x2fjpe?g/smi";
flowbits:set,http.jpeg; flowbits:noalert;
classtype:protocol-command-decode; sid:2706; rev:1;)
 
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT
JPEG parser multipacket heap overflow";
flow:from_server,established; flowbits:isset,http.jpeg; content:"|FF|";
pcre:"/\xFF[\xE1\xE2\xED\xFE]\x00[\x00\x01]/"; reference:bugtraq,11173;
reference:cve,CAN-2004-0200;
reference:url,www.microsoft.com/security/bulletins/200409_jpeg.mspx;
classtype:attempted-admin; sid:2707; rev:1;)




-----Original Message-----
From: list-bounces@lists.dshield.org
[mailto:list-bounces@lists.dshield.org]On Behalf Of Miles Stevenson
Sent: Thursday, September 23, 2004 8:50
To: General DShield Discussion List
Subject: Re: [Dshield] GDI+ POC


> Johannes - Friday Afternoon
> Rich - Saturday Afternoon
> 
> Anyone else?

Does it still count if Johannes actually writes the exploit Friday afternoon? 

-- 
Miles Stevenson
miles@mstevenson.org
PGP FP: 035F 7D40 44A9 28FA 7453 BDF4 329F 889D 767D 2F63
_______________________________________________
DShield and the Internet Storm Center are sponsored by the SANS Institute.
To learn more about current SANS training, see http://www.sans.org .

_______________________________________________
send all posts to list@lists.dshield.org
To change your subscription options (or unsubscribe), see: \
http://www.dshield.org/mailman/listinfo/list


[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic