'[Emerging-Sigs] Adobe Exploit sigs'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       emerging-sigs
Subject:    [Emerging-Sigs] Adobe Exploit sigs
From:       jonkman () jonkmans ! com (Matt Jonkman)
Date:       2009-02-28 19:12:12
Message-ID: 49A98C8C.5020204 () jonkmans ! com
[Download RAW message or body]

Thanks for the confirmation!

Spiffy pickle: I'm confirming with the original author your question
about byte test. More soon.

matt

Greg Martin wrote:
> Confirmed 2009113 works on the PoC from milworm
> 
> -GM
> 
> 
> -----Original Message-----
> From: emerging-sigs-bounces at emergingthreats.net on behalf of spiffy pickle
> Sent: Fri 2/27/2009 11:09 AM
> To: Emerging Threats Signatures
> Subject: Re: [Emerging-Sigs] Adobe Exploit sigs
> 
> Matt,
>   Just wondering if the byte offset in the 2nd byte test should be 2 instead
> of 1.
> 
> The JBIG2 decoder starts 0000ad0:
> http://www.securityfocus.com/data/vulnerabilities/exploits/33751-PoC.pdf
> 
> 
> On Thu, Feb 26, 2009 at 9:55 AM, Matt Jonkman <jonkman at jonkmans.com> wrote:
> 
>> New sigs for the adobe exploit have been submitted anonymously. They
>> look good, please test!
>>
>> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB Adobe
>> PDF JBIG2 buffer overflow CVE-2009-0658 remote code execution attempt
>> HTTP inbound"; flow:to_client,established; content:"JBIG2Decode";
>> nocase; content:"stream|0D 0A 00 00 00 01|"; distance:0;
>> byte_test:1,&,64,0,relative; byte_test:1,<,32,1,relative;
>> byte_test:4,>,35256,2,relative,little; reference:bugtraq,33751;
>> classtype:attempted-user; sid:2009112; rev:1;)
>>
>> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB Adobe
>> PDF JBIG2 buffer overflow CVE-2009-0658 remote code execution attempt
>> HTTP inbound 2"; flow:to_client,established; content:"JBIG2Decode";
>> nocase; content:"stream|0A 00 00 00 01|"; distance:0;
>> byte_test:1,&,64,0,relative; byte_test:1,<,32,1,relative;
>> byte_test:4,>,35256,2,relative,little; reference:bugtraq,33751;
>> classtype:attempted-user; sid:2009113; rev:1;)
>>
>> In the ruleset momentarily.
>>
>> Matt
>>
>> --
>> --------------------------------------------
>> Matthew Jonkman
>> Emerging Threats
>> Phone 765-429-0398
>> Fax 312-264-0205
>> http://www.emergingthreats.net
>> --------------------------------------------
>>
>> PGP: http://www.jonkmans.com/mattjonkman.asc
>>
>>
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at emergingthreats.net
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc

[prev in list] [next in list] [prev in thread] [next in thread] 