Re: [Snort-users] Alert help, web-client 3ivx MP4 file parsing cmt buffer overflow attempt

From: JJ Cummings <cummingsj_at_nospam>
Date: Wed Mar 25 2009 - 23:51:10 GMT
To: "Jefferson, Shawn" <Shawn.Jefferson@bcferries.com>

Shawn,

you can ascertain this by asking yourself some simple questions:

Is the system that this is alerting affected by this, I.E. is it a system running the affected version of Microsoft Windows Media Player with the appropriate codecs?
Is the file in question that is causing the alert even an mp4 file? Since you suspect that it's not, verify this... if it is, see question 1

Answer both of those and You'll find the answer...

1:13318: Stack-based buffer overflow in mplayer2.exe in Microsoft Windows Media Player (WMP) 6.4, when used with the 3ivx 4.5.1 or 5.0.1 codec, allows remote attackers to execute arbitrary code via a certain .mp4 file, possibly a related issue to CVE-2007-6402.

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT 3ivx MP4 file parsing cmt buffer overflow attempt"; flow:to_client, established; content:"|A9|cmt"; byte_test:4, >, 512, 0, relative; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,26773; reference:cve,2007-6401; classtype:attempted-user; sid:13318; rev:2;)

On Wed, Mar 25, 2009 at 4:44 PM, Jefferson, Shawn < Shawn.Jefferson@bcferries.com> wrote:

> I had an alert triggered today, WEB-CLIENT 3ivx MP4 file parsing cmt
> buffer overflow attempt (1:13318), and I’m thinking this is a false
> positive. The snort page for the alert doesn’t list any known false
> positives.
>
> Some of the payload info:
>
> HTTP/1.1 200 OK
> Date: Wed, 25 Mar 2009 20:51:54 GMT
> Server: Apache/1.3.41.fb2
> Expires: Mon, 26 Jul 1997 05:00:00 GMT
> Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0,
> pre-check=0
> Pragma: no-cache
> P3P: CP="HONK"
> Set-Cookie: made_write_conn=1238014314; path=/; domain=.facebook.com
> Set-Cookie: cur_max_lag=3; path=/; domain=.facebook.com; httponly
> X-Cnection: close
> Transfer-Encoding: chunked
> Content-Type: application/x-javascript; charset=utf-8
> Content-Encoding: gzip
>
> The reason I think it may be a false positive, is the fact that this
> appears to be a javascript, and is gzipped (??). I’ve seen other alerts
> triggered by JPEGs, and I’ve always assumed they were false positives, but I
> wanted to run it by all you because I could be missing something!
>
> Also, if this is a false positive, how do I go about helping fill out the
> snort alert DB on the website?
>
> Thanks,
> Shawn
>
>
>
> ------------------------------------------------------------------------------
>
> _______________________________________________
> Snort-users mailing list
> Snort-users@lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users>list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>

Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]