[prev in list] [next in list] [prev in thread] [next in thread]
List: emerging-sigs
Subject: [Emerging-Sigs] Daily Ruleset Update Summary 12/30/2012 (Weekend Update Thanks For the "Pointer" Edi
From: Will Metcalf <wmetcalf () emergingthreatspro ! com>
Date: 2012-12-31 6:50:52
Message-ID: CAKrkXrPQKoMAtWNmvgJXm+LVXHLi=Uzix7RJxkVokJZ_7NDdKg () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
[***] Summary [***]
Just a small update to one of the IE 0-day sigs and a couple of sigs to
catch EIP in the URI as described here.
http://blogs.technet.com/b/srd/archive/2012/12/29/new-vulnerability-affecting-internet-explorer-8-users.aspx
Both the orginal exploit and Metasploit both pass EIP via window.location
which ends up sending a relative request to originating server with the EIP
in the URI. Adding a couple of rules for this. Had a bit of trouble with
normalization of the uri's so pardon the http_raw_uri's on snort until I
figure out what I did wrong :)...
GET /%E0%AC%B0%E0%B0%8Chttps://www.google.com/settings/account HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg,
application/x-shockwave-flash, application/vnd.ms-excel,
application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: ready.player.one
Connection: Keep-Alive
[+++] Added rules: [+++]
2016136 - ET CURRENT_EVENTS Metasploit CVE-2012-4792 EIP in URI IE 8
(current_events.rules)
2016137 - ET CURRENT_EVENTS CVE-2012-4792 EIP in URI (1)
(current_events.rules)
[///] Modified active rules: [///]
2016132 - ET CURRENT_EVENTS Escaped Unicode Char in Window Location
CVE-2012-4792 EIP (current_events.rules)
[Attachment #5 (text/html)]
[***] Summary [***]<br><br>Just a small update to one of the IE \
0-day sigs and a couple of sigs to catch EIP in the URI as described here.<br><br><a \
href="http://blogs.technet.com/b/srd/archive/2012/12/29/new-vulnerability-affecting-internet-explorer-8-users.aspx" \
target="_blank">http://blogs.technet.com/b/srd/archive/2012/12/29/new-vulnerability-affecting-internet-explorer-8-users.aspx</a><br>
<br>Both the orginal exploit and Metasploit both pass EIP via window.location which \
ends up sending a relative request to originating server with the EIP in the URI. \
Adding a couple of rules for this. Had a bit of trouble with normalization of the \
uri's so pardon the http_raw_uri's on snort until I figure out what I did \
wrong :)...<br>
<br>GET /%E0%AC%B0%E0%B0%8Chttps://<a href="http://www.google.com/settings/account" \
target="_blank">www.google.com/settings/account</a> HTTP/1.1 <br>Accept: image/gif, \
image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, \
application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */* \
<br>Accept-Language: en-us <br>User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows \
NT 5.1; Trident/4.0) <br>Accept-Encoding: gzip, deflate
<br>Host: ready.player.one<br>Connection: Keep-Alive<br><br>
<br>
[+++] Added rules: [+++]<br>
<br>
2016136 - ET CURRENT_EVENTS Metasploit CVE-2012-4792 EIP in URI IE 8 \
(current_events.rules)<br> 2016137 - ET CURRENT_EVENTS CVE-2012-4792 EIP in URI (1) \
(current_events.rules)<br> <br>
<br>
[///] Modified active rules: [///]<br>
<br>
2016132 - ET CURRENT_EVENTS Escaped Unicode Char in Window Location CVE-2012-4792 \
EIP (current_events.rules)<br>
_______________________________________________
Emerging-sigs mailing list
Emerging-sigs@lists.emergingthreats.net
http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
Support Emerging Threats! Subscribe to Emerging Threats Pro \
http://www.emergingthreatspro.com The ONLY place to get complete premium rulesets for \
all versions of Suricata and Snort 2.4.0 through Current!
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic