I am sending this to bugtraq because I think it meets the criteria for postings, specifically, for recognizing the use of security holes. The NFR package is available from http://www.nfr.net, please read the license carefully before installing. I am very much affiliated with NFR, but this is not intended as a commercial posting. It was recently announced that MS IE, MS Outlook, and Netscape Communicator for Windows are vulnerable to buffer overflows that involve MIME headings; perhaps filenames. The only example I have seen was from Ryan Veety (rootat_private) from the bugtraq mailing list which stated that "Content-Disposition: attachment; filename=AAAAA...AAAAAAA" would bust a reader. I started to work on N-Code that would only detect long filenames. Then it occurred to me, "Why only filenames--Who's to say that next week the Content-Type will be vulnerable, too?" So this counts the number of characters in every TCP stream from "Content-" to the next "\n". If it exceeds the threshold, it records what it's got and the rest of the TCP session to a recorder, and sends an alert. This is not fancy. Nor is it guaranteed to work. I promise there are ways to circumvent this. This comes with no warranty whatsoever. Use at your own risk. Please read the comments in the .nfr file about installing properly once you have the NFR distribution. --------------------- bigmime.nfr # # Copyright(C) 1998 Network Flight Recorder, Inc. # All rights reserved. # # Use and distribution of this software and its source code # are governed by the terms and conditions of the # Network Flight Recorder Software License ("LICENSE.TXT" in # the NFR distribution.) # # This filter is experimental and comes with absolutely, positively, # unconditionally, no warranty or support whatsoever. It is being # distributed to help administrators know whether this particular # attack is being attempted on their networks. # # Abstract: Detect big MIME controls within TCP sessions # # Notes: # This backend expects to be put in a package called "id". # Change the "bigmime_recorder" declaration if that's not # the case. # # Be sure to add an entry in etc/spaceman.cf so that if this # starts recording gobs of data, your hard drive doesn't fill # up. # # For alerts to work, you must create a user source of # BIG_MIME and a user message of SUSPICIOUS_ACITIVITY. # # Author: M. Dodge Mumford, NFR # # Date: 31 July 1998 SEARCHSTRING = "Content-" ; MAXLINELEN = 100 ; BUFFLEN = 2048 ; bigmime_schema = library_schema:new ( 1, [ "time", "int", "ip", "int", "ip", "int", "blob" ], scope()) ; bigmime_recorder = recorder ( "bin/list packages/id/bigmime.cfg", "bigmime_schema" ) ; filter bigmime tcp ( ) { declare $seen inside tcp.connSym ; declare $session inside tcp.connSym ; declare $curious inside tcp.connSym ; declare $violation inside tcp.connSym ; if ( ! $seen ) { $seen = 1 ; $session = tcp.blob ; } else { $session = cat ( $session, tcp.blob ) ; } $position = index ($session, SEARCHSTRING ) ; if ( $position > -1 ) { # Hmm $tempstring = substr ( $session, $position) ; $endofline = index ( $tempstring, "\n" ) ; if ( $endofline > MAXLINELEN ) { $violation = 1 ; } } if ( $violation != 1 ) { if ( strlen ( $session ) > BUFFLEN ) { $session = substr ( $session, BUFFLEN ) ; } } } filter donemime tcp ( discardsession ) { declare $seen inside tcp.connSym ; declare $session inside tcp.connSym ; declare $curious inside tcp.connSym ; declare $violation inside tcp.connSym ; if ( $violation == 1 ) { echo ( tcp.connSrc, ":", tcp.connSport, " -> ", tcp.connDst, ":", tcp.connDport, " violated the rule.\n" ) ; echo ( $session, "\n" ) ; $message = cat ( tcp.connSrc, ":", tcp.connSport, " -> ", tcp.connDst, ":", tcp.connDport, " -- saw a large MIME entry: ", $message, "\n" ) ; alert ( alert:BIG_MIME, alert:SUSPICIOUS_ACTIVITY, $message ) ; record system.time, tcp.connHash, tcp.connDst, tcp.connDport, tcp.connSrc, tcp.connSport, $session to bigmime_recorder ; } } ----------------------- bigmime.cfg # # Copyright(C) 1998 Network Flight Recorder, Inc. # All rights reserved. # # Use and distribution of this software and its source code # are governed by the terms and conditions of the # Network Flight Recorder Software License ("LICENSE.TXT") # # Abstract: badtsring configuration file. # Notes: See bigmime.nfr for details # Author: M. Dodge Mumford, NFR # Date: 31 July 1998 # enabled=true title=Big MIMEs gui=list num_columns_6 num_columns=6 column_1_type=p_int column_2_type=p_src_ip column_3_type=p_src_port column_4_type=p_dst_ip column_5_type=p_dst_port column_6_type=p_string column_1_label=TCP Hash column_2_label=Source IP column_3_label=Source Port column_4_label=Dest IP column_5_label=Dest Port column_6_label=Blob cfversion=1 rollover_size=yes rollover_size_val=1024000 rollover_time=YES rollover_time_val=300000 archive_path=data/%p/%b/%y/%m%d/ modified=false origin=M. Dodge Mumford, NFR ----- Dodge dodgeat_private PGP key available upon request
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:11:14 PDT