IDS mailing list archives
Re: HELP ON POP3 FALSE ATTACHMENT SIGNATURE
From: "Srinivasa Rao Addepalli" <srao () intotoinc com>
Date: Tue, 17 Jun 2003 20:39:39 -0700
Hi Aravind, You need to give more information. But based on your description, I feel you should look at MIME header in the email body. In anycase, it is better to build POP3 protocol intelligence to figure out 'envelope' header and email data message. Then you can do content search on part of envelop OR part of MIME header field. Doing content search on the packets might give you false negative and false positives. Srini Intoto Inc. Enabling Security Infrastructure 3160, De La Cruz Blvd #100 Santa Clara, CA 95054 www.intotoinc.com ----- Original Message ----- From: "Aravinda T" <aravindat () internettrends co in> To: <focus-ids () securityfocus com> Cc: <focus-ids-owner () securityfocus com> Sent: Sunday, June 15, 2003 10:38 PM Subject: HELP ON POP3 FALSE ATTACHMENT SIGNATURE
Hi all, In our company we are developing a host based IDS for all windows platforms.In that they asked me to write code for detecting POP3 false attachment attack.I am giving the description of this attack below. Description: Versions of MS Outlook are vulnerable to receiving a hidden, potentially hostile attachment. An arbitrary string of characters, supplied by the sender to the 'subject:' field, will be received and interpreted by vulnerable versions of Outlook as an attachment to the message. If this string is properly constructed, it can be executable and capable of performing hostile actions on the vulnerable host. This can also be used to circumvent Outlook's dangerous file security feature. So, pls help me for writing signature of this attack.Any info regarding this one is highly appreciated. Thanks and regards, Aravind. ------------------------------------------------------------------------------- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com -------------------------------------------------------------------------------
------------------------------------------------------------------------------- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com -------------------------------------------------------------------------------
Current thread:
- HELP ON POP3 FALSE ATTACHMENT SIGNATURE Aravinda T (Jun 17)
- Re: HELP ON POP3 FALSE ATTACHMENT SIGNATURE Srinivasa Rao Addepalli (Jun 18)