MS ANI Exploit Rule, Details Emerging
Try out the following rule. There are reports of an ANI exploit being used like the old Dolphins JS exploits. This is by anonymous, thanks for the nice work!
Please let us know if you’re getting hits or falses on this one. It’ll develop quickly. More detail as we get it:
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:”BLEEDING-EDGE CURRENT EVENTS MS ANI exploit”; flow:established,to_server; content:”|54 53 49 4C 03 00 00 00 00 00 00 00 54 53 49 4C 04 00 00 00 02 02 02 02 61 6E 69 68 52|”; classtype:attempted-admin; reference:url,http://isc.sans.org/diary.html?storyid=2534; reference:url,http://www.avertlabs.com/research/blog/?p=233; reference:url,doc.bleedingthreats.net/2003519; sid:2003519; rev:1;)
Matt
April 2nd, 2007 at 12:20 am
Newest Version:
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:”BLEEDING-EDGE CURRENT EVENTS MS ANI exploit (rule 2)”; flow:established,from_server; content:”anih”; nocase; content:”anih”; nocase; distance:4; pcre:”/^RIFF.*anih\x24\x00\x00\x00.*anih(?!\x24\x00\x00\x00)/im”; classtype:attempted-admin; reference:url,isc.sans.org/diary.html?storyid=2534; reference:url,www.avertlabs.com/research/blog/?p=233; reference:url,doc.bleedingthreats.net/2003524; sid:2003524; rev:1;)
Matt
April 2nd, 2007 at 1:01 am
Also note that ZERT has a patch out:
http://isotf.org/zert/advisories/zert-2007-01.htm
Matt
April 2nd, 2007 at 8:13 am
I wrote a post regarding the rule you wrote on http://blogs.securiteam.com/index.php/archives/867, to summarize the rule is not good enough.
April 2nd, 2007 at 6:50 pm
Most recent version is here:
http://doc.bleedingthreats.net/bin/view/Main/2003519
Matt
April 2nd, 2007 at 7:08 pm
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:”WEB-CLIENT Microsoft ANI file parsing overflow”; flow:established,from_server; content:”RIFF”; nocase; content:”anih”; nocase; byte_test:4,>,36,0,relative,little; reference:cve,2004-1049; classtype:attempted-user; sid:3079; rev:3;)