Snort mailing list archives
Re: Sourcefire VRT Certified Snort Rules for CVE-2013-3906
From: Patrick Mullen <pmullen () sourcefire com>
Date: Fri, 8 Nov 2013 09:36:49 -0500
Jeremy, The rules that are currently released for CVE-2013-3906 (sids 28464-28471) cover all known samples that exploit this vulnerability as well as a yet-unseen version for which STRIPBYTECOUNT is set to one and the vulnerable value can be checked easily. When STRIPBYTECOUNT is greater than one, the values that are needed to be evaluated for the vulnerable condition are located at a file offset, which requires additional processing to compute. Using snort's shared object rule architecture, we are able to perform these calculations but since shared object rules are written in C, there are additional reviews that need to be performed before release. The current sids were released to provide good coverage for our customers immediately while the shared object rule went through the review process to cover the more general case. The shared object rule has already gone through the review process and will be released in an upcoming SEU/SRU/rulepack. Thanks, ~Patrick On Thu, Nov 7, 2013 at 10:05 PM, Jeremy Scott <JeremyScott () solutionary com>wrote:
What's the possibility of false negatives with the rules package for CVE-2013-3906 (SID 28464-71)? I'm just trying to validate if I'm understanding the rule logic correctly. The content is matching the STRIPBYTECOUNT TIFF Tag (01 17 00 04 00 00 00 01). By specifying a value of 1 for the number of strips in the file, it seems that it will bypass the rule from being triggered if more than 1 strip is used to trigger the vulnerable condition. *Jeremy Scott* <http://www.solutionary.com/> *Senior Research Analyst* *Security Engineering Research Team (SERT)* --
Patrick Mullen Response Research Manager Sourcefire VRT
------------------------------------------------------------------------------ November Webinars for C, C++, Fortran Developers Accelerate application performance with scalable programming models. Explore techniques for threading, error checking, porting, and tuning. Get the most from the latest Intel processors and coprocessors. See abstracts and register http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Sourcefire VRT Certified Snort Rules for CVE-2013-3906 Jeremy Scott (Nov 07)
- Re: Sourcefire VRT Certified Snort Rules for CVE-2013-3906 Patrick Mullen (Nov 08)