[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [ISSForum] HTML_Mshtml_Overflow



Jason,
Thanks very much for your explanation!
I think that ISS should give us a pam parameter to configure number of
scrip action handlers (in this case I simply increase this param) or
somehow rewrite signature to reduce a number of false positives.

Thanks again.
Good luck!

-- Sergey


> -----Original Message-----
> From: Jason Baeder [mailto:jason_baeder@xxxxxxxxx] 
> Sent: Monday, May 08, 2006 7:13 PM
> To: Soldatov, Sergey V.; issforum@xxxxxxx
> Subject: Re: [ISSForum] HTML_Mshtml_Overflow
> 
> This bit from the CVE entry makes for interesting reading:
> 
> 'Buffer overflow in mshtml.dll in Microsoft Internet Explorer 
> 6.0.2900.2180, and probably other versions, allows remote 
> attackers to execute arbitrary code via an HTML tag with a 
> large number of script action handlers such as onload and 
> onmouseover, as demonstrated using onclick, aka the "Multiple 
> Event Handler Memory Corruption Vulnerability." '
> 
> There is demo page here:
> http://lcamtuf.coredump.cx/iedie.html
> 
> Some code from the page looks like this:
> 
> <html><body><img
> src=http://lcamtuf.coredump.cx/photo/current/m2A.jpg><foo  
> onclick=bork onclick=bork onclick=bork onclick=bork 
> onclick=bork onclick=bork onclick=bork onclick=bork 
> onclick=bork onclick=bork onclick=bork onclick=bork 
> onclick=bork.........
> 
> 
> It is possible that ISS is counting "large number[s] of 
> script action handlers" in web pages (those "onclick" actions 
> above) and false positives come from either 1) alerting on 
> too few actions*, or 2) alerting on the right number of 
> actions, but they are in non-malicious web pages.  
> 
> *There doesn't seem to be agreeement on how many is too many.
> 
> In this case, there is probably no way to distinguish the 
> malicious page from the non-malicious automagically.  I see a 
> lot of these events from web-based mail sites (like Yahoo), 
> online shopping and travel sites, and other feature-rich 
> sites.  The key here is "feature-rich site"; lots of buttons 
> and actions.  With this and other similar sigs, it takes an 
> alert (pun intended) analyst to 1) weed out the innocuous 
> sites, 2) correllate any malicious activity from the target 
> after the event occurred (assuming it does something to 
> attract the attention of the IDS), and 3) confirm that the 
> target host is patched to current.
> 
> Interestingly, we also see alerts for this sig from traffic 
> between our inbound mail gateway and the spam-scrubbers.  I 
> haven't seen the spam itself, but I'm guessing maybe it was 
> HTML-based(??).  And, yes, that would mean that ISS is 
> analyzing SMTP traffic with this signature.
> 
> Jason
> 
> --- "Soldatov, Sergey V." <SVSoldatov@xxxxxxxxxx> wrote:
> 
> > I see HTML_Mshtml_Overflow event generated from:
> > 62.140.23.27
> > 81.177.28.61
> > 
> > Why? Is that false posititves? How to configure 
> HTML_Mshtml_Overflow 
> > signature to mitigate such FPs? How does HTML_Mshtml_Overflow work?
> > What
> > does it search for?
> > 
> > Thanks.
> > 
> > ---
> > Best regards, Sergey V. Soldatov.
> > Information security department.
> > tel/fax +7 495 745 89 50
> > tel +7 495 777 77 07 (1613)
> > 
> > 
> > _______________________________________________
> > ISSForum mailing list
> > ISSForum@xxxxxxx
> > 
> > TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to 
> > https://atla-mm1.iss.net/mailman/listinfo/issforum
> > 
> > To contact the ISSForum Moderator, send email to 
> mod-issforum@xxxxxxx
> > 
> > The ISSForum mailing list is hosted and managed by Internet 
> Security 
> > Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.
> > 
> 
> 
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection 
> around http://mail.yahoo.com 
> 


_______________________________________________
ISSForum mailing list
ISSForum@xxxxxxx

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum

To contact the ISSForum Moderator, send email to mod-issforum@xxxxxxx

The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.