Threat Level: green Handler on Duty: Manuel Pelaez

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

MS04-028 PoCs and Exploits released / UPDATE: Snort Rules

Published: 2004-09-22
Last Updated: 2004-09-23 14:01:48 UTC
by Pedro Bueno (Version: 1)
0 comment(s)
MS04-28 PoCs and Exploits


Things are just getting better and better on this topic.

Today another exploit for the MS04-28 , regarding the JPG, was public released. This one will open a command prompt in your machine.

The first PoC (proof-of-concept) released some days ago is already detected by some AV vendors.
According to the free service VirusTotal, Symantec, Trend, Kaspersky and McAfee detects the malformated jpeg headers. So, if you run updated versions, you should be safe.


On the other hand, if we are seeing exploits opening command prompts, something worst is on its way...

If you already have Tom Liston's ISCAlert ( http://www.labreatechnologies.com/ISCAlert.zip ) on your systray, stay tuned, it may blink soon...

So, please, remember to apply Microsoft Patches in your and your friends and family computers (I already applied on my mother's windows box...). Companies should test it and also apply as soon as possible...
Remember that patches are not to be applied only when a new malware is exploiting the vulnerability, so dont wait for it as a reason to apply the patches.




Reference: http://www.microsoft.com/technet/security/bulletin/MS04-028.mspx

We will update this diary as soon as we have more info.


UPDATE:

Judy Novak sent us these rules developed by the Snort Community.

Snort Rules:




alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT

JPEG parser heap overflow attempt"; flow:from_server,established;

content:"image/jp"; nocase;

pcre:"/^Content-Type\s*\x3a\s*image\x2fjpe?g.*\xFF\xD8.{2}.*\xFF[\xE1\xE2\xED\xFE]\x00[\x00\x01]/smi";

reference:bugtraq,11173; reference:cve,CAN-2004-0200;

reference:url,www.microsoft.com/security/bulletins/200409_jpeg.mspx;

classtype:attempted-admin; sid:2705; rev:2;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT

JPEG transfer"; flow:from_server,established; content:"image/jp";

nocase; pcre:"/^Content-Type\s*\x3a\s*image\x2fjpe?g/smi";

flowbits:set,http.jpeg; flowbits:noalert;

classtype:protocol-command-decode; sid:2706; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT

JPEG parser multipacket heap overflow";

flow:from_server,established; flowbits:isset,http.jpeg; content:"|FF|";

pcre:"/\xFF[\xE1\xE2\xED\xFE]\x00[\x00\x01]/"; reference:bugtraq,11173;

reference:cve,CAN-2004-0200;

reference:url,www.microsoft.com/security/bulletins/200409_jpeg.mspx;

classtype:attempted-admin; sid:2707; rev:1;)


UPDATE 2:

The second exploit mentioned on this diary is already identified by the same AV vendors.



--------------------------------------------------------

Handler on Duty: Pedro Bueno (pbueno /AT/ isc.sans.org)


Keywords:
0 comment(s)
Diary Archives