[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [ISSForum] HTML_Mshtml_Overflow



This bit from the CVE entry makes for interesting reading:

'Buffer overflow in mshtml.dll in Microsoft Internet Explorer
6.0.2900.2180, and probably other versions, allows remote attackers to
execute arbitrary code via an HTML tag with a large number of script
action handlers such as onload and onmouseover, as demonstrated using
onclick, aka the "Multiple Event Handler Memory Corruption
Vulnerability." '

There is demo page here:
http://lcamtuf.coredump.cx/iedie.html

Some code from the page looks like this:

<html><body><img
src=http://lcamtuf.coredump.cx/photo/current/m2A.jpg><foo  onclick=bork
onclick=bork onclick=bork onclick=bork onclick=bork onclick=bork
onclick=bork onclick=bork onclick=bork onclick=bork onclick=bork
onclick=bork onclick=bork.........


It is possible that ISS is counting "large number[s] of script action
handlers" in web pages (those "onclick" actions above) and false
positives come from either 1) alerting on too few actions*, or 2)
alerting on the right number of actions, but they are in non-malicious
web pages.  

*There doesn't seem to be agreeement on how many is too many.

In this case, there is probably no way to distinguish the malicious
page from the non-malicious automagically.  I see a lot of these events
from web-based mail sites (like Yahoo), online shopping and travel
sites, and other feature-rich sites.  The key here is "feature-rich
site"; lots of buttons and actions.  With this and other similar sigs,
it takes an alert (pun intended) analyst to 1) weed out the innocuous
sites, 2) correllate any malicious activity from the target after the
event occurred (assuming it does something to attract the attention of
the IDS), and 3) confirm that the target host is patched to current.

Interestingly, we also see alerts for this sig from traffic between our
inbound mail gateway and the spam-scrubbers.  I haven't seen the spam
itself, but I'm guessing maybe it was HTML-based(??).  And, yes, that
would mean that ISS is analyzing SMTP traffic with this signature.

Jason

--- "Soldatov, Sergey V." <SVSoldatov@xxxxxxxxxx> wrote:

> I see HTML_Mshtml_Overflow event generated from:
> 62.140.23.27
> 81.177.28.61
> 
> Why? Is that false posititves? How to configure HTML_Mshtml_Overflow
> signature to mitigate such FPs? How does HTML_Mshtml_Overflow work?
> What
> does it search for?
> 
> Thanks.
> 
> ---
> Best regards, Sergey V. Soldatov.
> Information security department.
> tel/fax +7 495 745 89 50 
> tel +7 495 777 77 07 (1613)
> 
> 
> _______________________________________________
> ISSForum mailing list
> ISSForum@xxxxxxx
> 
> TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
> https://atla-mm1.iss.net/mailman/listinfo/issforum
> 
> To contact the ISSForum Moderator, send email to mod-issforum@xxxxxxx
> 
> The ISSForum mailing list is hosted and managed by Internet Security
> Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.
> 


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

_______________________________________________
ISSForum mailing list
ISSForum@xxxxxxx

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum

To contact the ISSForum Moderator, send email to mod-issforum@xxxxxxx

The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.