Snort mailing list archives
Re: Alert help, web-client 3ivx MP4 file parsing cmt buffer overflow attempt
From: "Jefferson, Shawn" <Shawn.Jefferson () bcferries com>
Date: Thu, 26 Mar 2009 11:03:21 -0600
Hi, 1. If my system wasn't running the affected application, then it is a false positive, but may still be a genuine attack, and that may be interesting to me. 1. This would be the case that I'm trying to verify by asking the question here. This doesn't look like an MP4 file to me, and my theory is that the alert is triggered falsely on this packet. Further questions I have: 1. Content-Encoding: gzip, does this mean that the HTTP content is actually compressed, and what does snort do with this, if anything? 1. Content-type field. Can this be relied upon to determine whether or not the exploit was "real" ? I've seen some malware download files from website and the content type is text, but in the case of exploiting a browser or browser-plugin, my instinct is that the content type needs to be accurate, or the browser/application isn't going to process the data. In the case below, of the media player exploit, if the type is a javascript, then it isn't going to get played by Media Player (??). Like I said, I've seen other alerts triggered by what looks like picture files to me (JPEG, GIF for instance). ________________________________ From: jcummings () sourcefire com [mailto:jcummings () sourcefire com] On Behalf Of JJ Cummings Sent: March 25, 2009 4:51 PM To: Jefferson, Shawn Cc: Snort-users () lists sourceforge net Subject: Re: [Snort-users] Alert help, web-client 3ivx MP4 file parsing cmt buffer overflow attempt Shawn, you can ascertain this by asking yourself some simple questions: 1: Is the system that this is alerting affected by this, I.E. is it a system running the affected version of Microsoft Windows Media Player with the appropriate codecs? 2: Is the file in question that is causing the alert even an mp4 file? Since you suspect that it's not, verify this... if it is, see question 1 Answer both of those and You'll find the answer... 1:13318: Stack-based buffer overflow in mplayer2.exe in Microsoft Windows Media Player (WMP) 6.4, when used with the 3ivx 4.5.1 or 5.0.1 codec, allows remote attackers to execute arbitrary code via a certain .mp4 file, possibly a related issue to CVE-2007-6402. alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT 3ivx MP4 file parsing cmt buffer overflow attempt"; flow:to_client, established; content:"|A9|cmt"; byte_test:4, >, 512, 0, relative; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,26773; reference:cve,2007-6401; classtype:attempted-user; sid:13318; rev:2;) On Wed, Mar 25, 2009 at 4:44 PM, Jefferson, Shawn <Shawn.Jefferson () bcferries com<mailto:Shawn.Jefferson () bcferries com>> wrote: I had an alert triggered today, WEB-CLIENT 3ivx MP4 file parsing cmt buffer overflow attempt (1:13318), and I'm thinking this is a false positive. The snort page for the alert doesn't list any known false positives. Some of the payload info: HTTP/1.1 200 OK Date: Wed, 25 Mar 2009 20:51:54 GMT Server: Apache/1.3.41.fb2 Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache P3P: CP="HONK" Set-Cookie: made_write_conn=1238014314; path=/; domain=.facebook.com<http://facebook.com> Set-Cookie: cur_max_lag=3; path=/; domain=.facebook.com<http://facebook.com>; httponly X-Cnection: close Transfer-Encoding: chunked Content-Type: application/x-javascript; charset=utf-8 Content-Encoding: gzip The reason I think it may be a false positive, is the fact that this appears to be a javascript, and is gzipped (??). I've seen other alerts triggered by JPEGs, and I've always assumed they were false positives, but I wanted to run it by all you because I could be missing something! Also, if this is a false positive, how do I go about helping fill out the snort alert DB on the website? Thanks, Shawn ------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users> list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Alert help, web-client 3ivx MP4 file parsing cmt buffer overflow attempt Jefferson, Shawn (Mar 25)
- Re: Alert help, web-client 3ivx MP4 file parsing cmt buffer overflow attempt JJ Cummings (Mar 25)
- Re: Alert help, web-client 3ivx MP4 file parsing cmt buffer overflow attempt Jefferson, Shawn (Mar 26)
- Re: Alert help, web-client 3ivx MP4 file parsing cmt buffer overflow attempt Nigel Houghton (Mar 25)
- Re: Alert help, web-client 3ivx MP4 file parsing cmt buffer overflow attempt JJ Cummings (Mar 25)