'[Snort-sigs] sid 15554'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       snort-sigs
Subject:    [Snort-sigs] sid 15554
From:       yew chuan Ong <yewchuan_23 () yahoo ! com>
Date:       2013-01-06 13:14:01
Message-ID: 1357478041.35619.YahooMailNeo () web162801 ! mail ! bf1 ! yahoo ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


Hi,

Hope someone can help me on this.

I am wondering why the description of this signature is as such:
"A vulnerability exists in the way that Internet Explorer handles ActiveX controls \
that may present an attacker with the opportunity to run code of their choosing on a \
host. In particular, this event is generated when a call to the Application Server \
10g is made."

I thought it is to detect an attempt to exploit a format string vulnerability in \
OPMN. Any relation to IE and ActiveX?

Also, did anyone know why this sig was crafted as such:
# alert tcp $EXTERNAL_NET any -> $HOME_NET [6000:6199] (msg:"ORACLE Oracle \
Application Server 10g OPMN service format string vulnerability exploit attempt"; \
flow:to_server,established; content:"HTTP"; nocase; \
pcre:"/^(GET|POST|HEAD)\s+[^\x25]*\x25[\x23\x24\x27\x2a\x2b\x2d\x2ehlqjzt1234567890]*[diouxefgacspn]/i"; \
metadata:policy security-ips drop; reference:bugtraq,34461; reference:cve,2009-0993; \
reference:url,www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html; \
classtype:attempted-admin; sid:15554; rev:2;)

Thanks!


[Attachment #5 (text/html)]

<html><body><div style="color:#000; background-color:#fff; font-family:arial, \
helvetica, sans-serif;font-size:10pt"><div><div><font face="arial, helvetica, \
sans-serif" size="2">Hi,</font></div><div><font face="arial, helvetica, sans-serif" \
size="2"><br></font></div><div><font face="arial, helvetica, sans-serif" \
size="2">Hope someone can help me on this.</font></div><div><font face="arial, \
helvetica, sans-serif" size="2"><br></font></div><div><font face="arial, helvetica, \
sans-serif" size="2">I am wondering why the description of this signature is as \
such:</font></div><div><font face="arial, helvetica, sans-serif" size="2">"A \
vulnerability exists in the way that Internet Explorer handles ActiveX controls that \
may present an attacker with the opportunity to run code of their choosing on a host. \
In particular, this event is generated when a call to the Application Server 10g is \
made."</font></div><div><font face="arial, helvetica, sans-serif"  \
size="2"><br></font></div><div><font face="arial, helvetica, sans-serif" size="2">I \
thought it is to detect an attempt to exploit a format string vulnerability in OPMN. \
Any relation to IE and ActiveX?</font></div><div><font face="arial, helvetica, \
sans-serif" size="2"><br></font></div><div><font face="arial, helvetica, sans-serif" \
size="2">Also, did anyone know why this sig was crafted as \
such:</font></div><div><font face="arial, helvetica, sans-serif" size="2"># alert tcp \
$EXTERNAL_NET any -&gt; $HOME_NET [6000:6199] (msg:"ORACLE Oracle Application Server \
10g OPMN service format string vulnerability exploit attempt"; \
flow:to_server,established; content:"HTTP"; nocase; \
pcre:"/^(GET|POST|HEAD)\s+[^\x25]*\x25[\x23\x24\x27\x2a\x2b\x2d\x2ehlqjzt1234567890]*[diouxefgacspn]/i"; \
metadata:policy security-ips drop; reference:bugtraq,34461; reference:cve,2009-0993; \
reference:url,www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html;
  classtype:attempted-admin; sid:15554; rev:2;)</font></div><div><font face="arial, \
helvetica, sans-serif" size="2"><br></font></div><div><font face="arial, helvetica, \
sans-serif" size="2">Thanks!</font></div><div style="font-family: arial, helvetica, \
sans-serif; font-size: 10pt;"><br></div></div></div></body></html>



------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. ON SALE this month only -- learn more at:
http://p.sf.net/sfu/learnmore_123012

_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic