|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: [ISSForum] HTML_Mshtml_Overflow
From: Soldatov, Sergey V. (SVSoldatov
tnk-bp.com)
Date: Mon May 15 2006 - 02:47:06 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Sorry, it's documented in new PAM documentation (KB #2190). I have been
working with old one... It's my mistake.
Thanks a lot!
--- Sergey
> -----Original Message-----
> From: Means, David (ISS Atlanta) [mailto:DMeansiss.net]
> Sent: Friday, May 12, 2006 8:21 PM
> To: Soldatov, Sergey V.
> Subject: RE: [ISSForum] HTML_Mshtml_Overflow
>
> Sergey:
>
> The tuning param you're looking for is pam.html.mshtml.bo
>
> It should be documented in the help, if its' not, please le
> me know and I'll open a change request.
>
>
> David Means
> Team Lead / X-Force PAM Development
> Internet Security Systems
> 6303 Barfield Road
> Atlanta, GA. 30328
> Office: 404-236-2842
>
> -----Original Message-----
> From: issforum-bouncesatla-mm1.iss.net On Behalf Of
> Soldatov, Sergey V.
> Sent: Thursday, May 11, 2006 8:43 AM
> To: issforumatla-mm1.iss.net
> Subject: Re: [ISSForum] HTML_Mshtml_Overflow
>
>
> Jason,
> Thanks very much for your explanation!
> I think that ISS should give us a pam parameter to configure
> number of scrip action handlers (in this case I simply
> increase this param) or somehow rewrite signature to reduce a
> number of false positives.
>
> Thanks again.
> Good luck!
>
> -- Sergey
>
>
> > -----Original Message-----
> > From: Jason Baeder [mailto:jason_baederyahoo.com]
> > Sent: Monday, May 08, 2006 7:13 PM
> > To: Soldatov, Sergey V.; issforumiss.net
> > Subject: Re: [ISSForum] HTML_Mshtml_Overflow
> >
> > This bit from the CVE entry makes for interesting reading:
> >
> > 'Buffer overflow in mshtml.dll in Microsoft Internet Explorer
> > 6.0.2900.2180, and probably other versions, allows remote
> attackers to
> > execute arbitrary code via an HTML tag with a large number
> of script
> > action handlers such as onload and onmouseover, as
> demonstrated using
> > onclick, aka the "Multiple Event Handler Memory Corruption
> > Vulnerability." '
> >
> > There is demo page here:
> > http://lcamtuf.coredump.cx/iedie.html
> >
> > Some code from the page looks like this:
> >
> > <html><body><img
> > src=http://lcamtuf.coredump.cx/photo/current/m2A.jpg><foo
> > onclick=bork onclick=bork onclick=bork onclick=bork onclick=bork
> > onclick=bork onclick=bork onclick=bork onclick=bork onclick=bork
> > onclick=bork onclick=bork onclick=bork.........
> >
> >
> > It is possible that ISS is counting "large number[s] of
> script action
> > handlers" in web pages (those "onclick" actions
> > above) and false positives come from either 1) alerting on too few
> > actions*, or 2) alerting on the right number of actions,
> but they are
> > in non-malicious web pages.
> >
> > *There doesn't seem to be agreeement on how many is too many.
> >
> > In this case, there is probably no way to distinguish the malicious
> > page from the non-malicious automagically. I see a lot of these
> > events from web-based mail sites (like Yahoo), online shopping and
> > travel sites, and other feature-rich sites. The key here is
> > "feature-rich site"; lots of buttons and actions. With
> this and other
> > similar sigs, it takes an alert (pun intended) analyst to
> 1) weed out
> > the innocuous sites, 2) correllate any malicious activity from the
> > target after the event occurred (assuming it does something
> to attract
> > the attention of the IDS), and 3) confirm that the target host is
> > patched to current.
> >
> > Interestingly, we also see alerts for this sig from traffic between
> > our inbound mail gateway and the spam-scrubbers. I haven't
> seen the
> > spam itself, but I'm guessing maybe it was HTML-based(??).
> And, yes,
> > that would mean that ISS is analyzing SMTP traffic with this
> > signature.
> >
> > Jason
> >
> > --- "Soldatov, Sergey V." <SVSoldatovtnk-bp.com> wrote:
> >
> > > I see HTML_Mshtml_Overflow event generated from:
> > > 62.140.23.27
> > > 81.177.28.61
> > >
> > > Why? Is that false posititves? How to configure
> > HTML_Mshtml_Overflow
> > > signature to mitigate such FPs? How does
> HTML_Mshtml_Overflow work?
> > > What
> > > does it search for?
> > >
> > > Thanks.
> > >
> > > ---
> > > Best regards, Sergey V. Soldatov.
> > > Information security department.
> > > tel/fax +7 495 745 89 50
> > > tel +7 495 777 77 07 (1613)
> > >
> > >
> > > _______________________________________________
> > > ISSForum mailing list
> > > ISSForumiss.net
> > >
> > > TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
> > > https://atla-mm1.iss.net/mailman/listinfo/issforum
> > >
> > > To contact the ISSForum Moderator, send email to
> > mod-issforumiss.net
> > >
> > > The ISSForum mailing list is hosted and managed by Internet
> > Security
> > > Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.
> > >
> >
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Tired of spam? Yahoo! Mail has the best spam protection around
> > http://mail.yahoo.com
> >
>
>
> _______________________________________________
> ISSForum mailing list
> ISSForumiss.net
>
> TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
> https://atla-mm1.iss.net/mailman/listinfo/issforum
>
> To contact the ISSForum Moderator, send email to mod-issforumiss.net
>
> The ISSForum mailing list is hosted and managed by Internet Security
> Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.
>
>
>
_______________________________________________
ISSForum mailing list
ISSForumiss.net
TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum
To contact the ISSForum Moderator, send email to mod-issforumiss.net
The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]