[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [ISSForum] HTML_Mshtml_Overflow



Sorry, it's documented in new PAM documentation (KB #2190). I have been
working with old one... It's my mistake.

Thanks a lot!

--- Sergey

> -----Original Message-----
> From: Means, David (ISS Atlanta) [mailto:DMeans@xxxxxxx] 
> Sent: Friday, May 12, 2006 8:21 PM
> To: Soldatov, Sergey V.
> Subject: RE: [ISSForum] HTML_Mshtml_Overflow
> 
> Sergey:
> 
> The tuning param you're looking for is pam.html.mshtml.bo
> 
> It should be documented in the help, if its' not, please le 
> me know and I'll open a change request.
> 
> 
> David Means
> Team Lead / X-Force PAM Development
> Internet Security Systems
> 6303 Barfield Road
> Atlanta, GA. 30328
> Office: 404-236-2842
> 
> -----Original Message-----
> From: issforum-bounces@xxxxxxxxxxxxxxxx On Behalf Of 
> Soldatov, Sergey V.
> Sent: Thursday, May 11, 2006 8:43 AM
> To: issforum@xxxxxxxxxxxxxxxx
> Subject: Re: [ISSForum] HTML_Mshtml_Overflow
> 
> 
> Jason,
> Thanks very much for your explanation!
> I think that ISS should give us a pam parameter to configure 
> number of scrip action handlers (in this case I simply 
> increase this param) or somehow rewrite signature to reduce a 
> number of false positives.
> 
> Thanks again.
> Good luck!
> 
> -- Sergey
> 
> 
> > -----Original Message-----
> > From: Jason Baeder [mailto:jason_baeder@xxxxxxxxx]
> > Sent: Monday, May 08, 2006 7:13 PM
> > To: Soldatov, Sergey V.; issforum@xxxxxxx
> > Subject: Re: [ISSForum] HTML_Mshtml_Overflow
> > 
> > This bit from the CVE entry makes for interesting reading:
> > 
> > 'Buffer overflow in mshtml.dll in Microsoft Internet Explorer 
> > 6.0.2900.2180, and probably other versions, allows remote 
> attackers to 
> > execute arbitrary code via an HTML tag with a large number 
> of script 
> > action handlers such as onload and onmouseover, as 
> demonstrated using 
> > onclick, aka the "Multiple Event Handler Memory Corruption 
> > Vulnerability." '
> > 
> > There is demo page here:
> > http://lcamtuf.coredump.cx/iedie.html
> > 
> > Some code from the page looks like this:
> > 
> > <html><body><img
> > src=http://lcamtuf.coredump.cx/photo/current/m2A.jpg><foo
> > onclick=bork onclick=bork onclick=bork onclick=bork onclick=bork 
> > onclick=bork onclick=bork onclick=bork onclick=bork onclick=bork 
> > onclick=bork onclick=bork onclick=bork.........
> > 
> > 
> > It is possible that ISS is counting "large number[s] of 
> script action 
> > handlers" in web pages (those "onclick" actions
> > above) and false positives come from either 1) alerting on too few 
> > actions*, or 2) alerting on the right number of actions, 
> but they are 
> > in non-malicious web pages.
> > 
> > *There doesn't seem to be agreeement on how many is too many.
> > 
> > In this case, there is probably no way to distinguish the malicious 
> > page from the non-malicious automagically.  I see a lot of these 
> > events from web-based mail sites (like Yahoo), online shopping and 
> > travel sites, and other feature-rich sites.  The key here is 
> > "feature-rich site"; lots of buttons and actions.  With 
> this and other 
> > similar sigs, it takes an alert (pun intended) analyst to 
> 1) weed out 
> > the innocuous sites, 2) correllate any malicious activity from the 
> > target after the event occurred (assuming it does something 
> to attract 
> > the attention of the IDS), and 3) confirm that the target host is 
> > patched to current.
> > 
> > Interestingly, we also see alerts for this sig from traffic between 
> > our inbound mail gateway and the spam-scrubbers.  I haven't 
> seen the 
> > spam itself, but I'm guessing maybe it was HTML-based(??).  
> And, yes, 
> > that would mean that ISS is analyzing SMTP traffic with this 
> > signature.
> > 
> > Jason
> > 
> > --- "Soldatov, Sergey V." <SVSoldatov@xxxxxxxxxx> wrote:
> > 
> > > I see HTML_Mshtml_Overflow event generated from:
> > > 62.140.23.27
> > > 81.177.28.61
> > > 
> > > Why? Is that false posititves? How to configure
> > HTML_Mshtml_Overflow
> > > signature to mitigate such FPs? How does 
> HTML_Mshtml_Overflow work?
> > > What
> > > does it search for?
> > > 
> > > Thanks.
> > > 
> > > ---
> > > Best regards, Sergey V. Soldatov.
> > > Information security department.
> > > tel/fax +7 495 745 89 50
> > > tel +7 495 777 77 07 (1613)
> > > 
> > > 
> > > _______________________________________________
> > > ISSForum mailing list
> > > ISSForum@xxxxxxx
> > > 
> > > TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to 
> > > https://atla-mm1.iss.net/mailman/listinfo/issforum
> > > 
> > > To contact the ISSForum Moderator, send email to
> > mod-issforum@xxxxxxx
> > > 
> > > The ISSForum mailing list is hosted and managed by Internet
> > Security
> > > Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.
> > > 
> > 
> > 
> > __________________________________________________
> > Do You Yahoo!?
> > Tired of spam?  Yahoo! Mail has the best spam protection around 
> > http://mail.yahoo.com
> > 
> 
> 
> _______________________________________________
> ISSForum mailing list
> ISSForum@xxxxxxx
> 
> TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
> https://atla-mm1.iss.net/mailman/listinfo/issforum
> 
> To contact the ISSForum Moderator, send email to mod-issforum@xxxxxxx
> 
> The ISSForum mailing list is hosted and managed by Internet Security
> Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.
> 
> 
> 


_______________________________________________
ISSForum mailing list
ISSForum@xxxxxxx

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum

To contact the ISSForum Moderator, send email to mod-issforum@xxxxxxx

The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.