Snort Rules to Detect JPEG GDI+ Exploits
New Snort IDS rules are available that can help detect attempts to exploit the JPEG GDI+ vulnerability.
September 22, 2004
If you use Snort then you might want to make sure your rules are up to date to contain detection for the JPEG GDI+ vulnerability. If you don't have rules in place for such detection then here are three that you can add:
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT
JPEG parser heap overflow attempt"; flow:from_server,established;
content:"image/jp"; nocase; pcre:"/^Content-Types*x3as*imagex2fjpe?g.*xFFxD8.{2}.*xFF[xE1xE2xEDxFE]x00[x00x01]/smi";reference:bugtraq,11173; reference:cve,CAN-2004-0200; reference:url,www.microsoft.com/security/bulletins/200409_jpeg.mspx;
classtype:attempted-admin; sid:2705; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT JPEG transfer"; flow:from_server,established; content:"image/jp"; nocase; pcre:"/^Content-Types*x3as*imagex2fjpe?g/smi"; flowbits:set,http.jpeg; flowbits:noalert; classtype:protocol-command-decode; sid:2706; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT JPEG parser multipacket heap overflow"; flow:from_server,established; flowbits:isset,http.jpeg; content:"|FF|"; pcre:"/xFF[xE1xE2xEDxFE]x00[x00x01]/"; reference:bugtraq,11173; reference:cve,CAN-2004-0200; reference:url,www.microsoft.com/security/bulletins/200409_jpeg.mspx; classtype:attempted-admin; sid:2707; rev:1;)
About the Author
You May Also Like