[prev in list] [next in list] [prev in thread] [next in thread]
List: emerging-sigs
Subject: [Emerging-Sigs] Adobe Exploit sigs
From: jonkman () jonkmans ! com (Matt Jonkman)
Date: 2009-02-28 19:12:12
Message-ID: 49A98C8C.5020204 () jonkmans ! com
[Download RAW message or body]
Thanks for the confirmation!
Spiffy pickle: I'm confirming with the original author your question
about byte test. More soon.
matt
Greg Martin wrote:
> Confirmed 2009113 works on the PoC from milworm
>
> -GM
>
>
> -----Original Message-----
> From: emerging-sigs-bounces at emergingthreats.net on behalf of spiffy pickle
> Sent: Fri 2/27/2009 11:09 AM
> To: Emerging Threats Signatures
> Subject: Re: [Emerging-Sigs] Adobe Exploit sigs
>
> Matt,
> Just wondering if the byte offset in the 2nd byte test should be 2 instead
> of 1.
>
> The JBIG2 decoder starts 0000ad0:
> http://www.securityfocus.com/data/vulnerabilities/exploits/33751-PoC.pdf
>
>
> On Thu, Feb 26, 2009 at 9:55 AM, Matt Jonkman <jonkman at jonkmans.com> wrote:
>
>> New sigs for the adobe exploit have been submitted anonymously. They
>> look good, please test!
>>
>> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB Adobe
>> PDF JBIG2 buffer overflow CVE-2009-0658 remote code execution attempt
>> HTTP inbound"; flow:to_client,established; content:"JBIG2Decode";
>> nocase; content:"stream|0D 0A 00 00 00 01|"; distance:0;
>> byte_test:1,&,64,0,relative; byte_test:1,<,32,1,relative;
>> byte_test:4,>,35256,2,relative,little; reference:bugtraq,33751;
>> classtype:attempted-user; sid:2009112; rev:1;)
>>
>> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB Adobe
>> PDF JBIG2 buffer overflow CVE-2009-0658 remote code execution attempt
>> HTTP inbound 2"; flow:to_client,established; content:"JBIG2Decode";
>> nocase; content:"stream|0A 00 00 00 01|"; distance:0;
>> byte_test:1,&,64,0,relative; byte_test:1,<,32,1,relative;
>> byte_test:4,>,35256,2,relative,little; reference:bugtraq,33751;
>> classtype:attempted-user; sid:2009113; rev:1;)
>>
>> In the ruleset momentarily.
>>
>> Matt
>>
>> --
>> --------------------------------------------
>> Matthew Jonkman
>> Emerging Threats
>> Phone 765-429-0398
>> Fax 312-264-0205
>> http://www.emergingthreats.net
>> --------------------------------------------
>>
>> PGP: http://www.jonkmans.com/mattjonkman.asc
>>
>>
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at emergingthreats.net
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
--
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------
PGP: http://www.jonkmans.com/mattjonkman.asc
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic