Friday, March 30, 2007

You can't filter .ANI by URLs. Microsoft Animated Cursor vulnerability.

There are Windows Animated Cursor exploit(Microsoft Security Advisory 935423) is now wild.
In some japanese security proffessionals has some hypothesis...

Exploit with CSS(Cascading Style Sheets) Animated Cursor properties.

In "cursor properties" in CSS can use .ani file from anywhare .
Like this
<body style="cursor: url('')">

Internet Explorer shows contents NOT filename extention but file's contents.
Microsoft said "This is by design of Internet Explorer".

If .ANI file with faked filename extention URL, but IE shows .ani contents.
cursor: url(;

In this case URL is virus.txt not xxx.ani or xxx.cur, so you can't filter by URL.

So only SANS detection rule can detect this exploit.
Use this to detect Animated Cursor's Exploit....

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:”BLEEDING-EDGE CURRENT EVENTS MS ANI exploit”; flow:established,from_server; content:”|54 53 49 4C 03 00 00 00 00 00 00 00 54 53 49 4C 04 00 00 00 02 02 02 02 61 6E 69 68 52|”; classtype:attempted-admin; reference:url,; reference:url,; reference:url,; sid:2003519; rev:1;)

No comments: