There are Windows Animated Cursor exploit(Microsoft Security Advisory 935423) is now wild.
In some japanese security proffessionals has some hypothesis...
- http://bakera.jp/hatomaru.aspx/ebi/topic/2833 (Japanese Only)
- http://d.hatena.ne.jp/hasegawayosuke/20070330/p2 (Japanese Only)
************************************************
THIS IS NOT PROOFED VERIFICATED. BUT POSSIBILITY IDEA.
************************************************
In "cursor properties" in CSS can use .ani file from anywhare .
Like this
<body style="cursor: url('http://example.com/cursor.ani')">
Internet Explorer shows contents NOT filename extention but file's contents.
Microsoft said "This is by design of Internet Explorer".
If .ANI file with faked filename extention URL, but IE shows .ani contents.
cursor: url(http://example.com/virus.txt);
In this case URL is virus.txt not xxx.ani or xxx.cur, so you can't filter by URL.
So only SANS detection rule can detect this exploit.
Use this to detect Animated Cursor's Exploit....
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:”BLEEDING-EDGE CURRENT EVENTS MS ANI exploit”; flow:established,from_server; content:”|54 53 49 4C 03 00 00 00 00 00 00 00 54 53 49 4C 04 00 00 00 02 02 02 02 61 6E 69 68 52|”; classtype:attempted-admin; reference:url,http://isc.sans.org/diary.html?storyid=2534; reference:url,http://www.avertlabs.com/research/blog/?p=233; reference:url,doc.bleedingthreats.net/2003519; sid:2003519; rev:1;)
No comments:
Post a Comment