[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [ISSForum] Signature availability questions

--- Gary Flynn <flynngn@xxxxxxx> wrote:
> I'm not sure this is the right place for this but:

Yes, it is.

> 1. Is there a signature to detect an HTTP response with a
>     content-type of application/hta in any of the network
>     sensor products?

We've added the signature for the next XPU.

Unfortunately, the signature will trigger false-positives if somebody is
actually using HTA (HTML applications) within their intranets. As you say,
hackers have been exploiting this, so we need to publish this signature despite
this false-positive condition. We problably should have published the signature
before now, but we've been looking for ways to tie it back to object
instantiation within web pages. Ufortunately, there is not good way to do that,
because of JavaScripting. Therefore, we are left with a simple signature that
simply triggers on HTTP response "Content-Type" equal to "application/hta",
which will have that false-positive problem.

> 2. I notice there is a signature for the Windows RPC Messenger
>     overflow but I suspect it is for requests going through the
>     mapper on port 135. Can anyone confirm this and/or point out
>     a signature for direct Messenger traffic connections to high
>     UDP ports?

We trigger correctly on high ports.

We describe the problem of high-ports in the advisory we published on the
Messenger bug:
We explicitly tested the XPU using exploits against high-number UDP ports.

Note that both our XPU and advisory came out on October 15, the same day that
Microsoft issued the MS03-043 bulletin on the Messenger bug. This was long
before people on bugtraq "discovered" the high-ports problem.

Robert Graham
Chief Scientist, ISS

Do you Yahoo!?
Yahoo! Hotjobs: Enter the "Signing Bonus" Sweepstakes
ISSForum mailing list

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo