Sig 5498 - Media Player IE Zone Bypass

Unanswered Question

This is a brand new signature, that I have not seen before, with little info available, other than a few lines in Cisco MySDN.

It states that;

"This signature fires upon detecting an Internet Explorer Zone Bypass exploit, using Media Player to silently execute a Windows Media Advanced Systems Format (ASF) file in the Local Zone of the vulnerable system.

IOS not supported.

There are no known benign triggers".

I have tried researching the normal channels, google, MySDN and this forum.

Has anyone got any additional info about the cause and efect of this alert?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

I have been discussing this with my colleagues and I am going to raise a TAC case. It seems to be the general consensus that any signature that fires with only a source IP (1-way)is a problem. I used to think that this was how it was, and that some signatures, by default don't display a destination IP. I am beginning to think that this might be a bug of sorts??

How can we effectively report to our clients, network activity without a destination?

Any feedback would be welcome.

nicksmi Thu, 02/01/2007 - 15:14

Signature 5498-0 is a meta signature with two sub-components, signatures 5500-0 and 5501-0. Their descriptions follow.

5500

This signature fires upon detecting an Internet Explorer Zone Bypass exploit, using Media Player to silently execute a Windows Media Advanced Systems Format (ASF) file in the Local Zone of the vulnerable system.

5501

This signature fires upon detecting ActiveX ADODB stream in return HTTP traffic.

This signature is a component of meta-signature 5498-0 and has no event-actions of its own defined.

The vulnerability itself is addressed by MS03-040.

What the signatures look for as a whole is return web traffic indicating the execution of an .asp file and an ActiveX object of type ADODB Stream.

You can read more about this vulnerability at the following links:

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-040.asp

http://www.securityfocus.com/bid/8263/info

As for the signatures keying on source address only, we are aware that this is an issue with older meta signatures and are working to update them.

wsulym Fri, 02/02/2007 - 12:12

Just as a little more detail... 5498-0, the ip address presented in the alert, is the source web server, serving what is possibly a malicious file. Now I (and this is a personal opinion) wouldn't care about the victim, since the victim is the client connecting to the web server. Your opinion on that may be different, and it appears to be, since you do want that information. That's an easy change, edit the signature and change the meta-key to AxBx (attacker & victim addresses) - now your alert will contain the attacker (which would be the server) and the victim (which is the client making that connection).

Actions

This Discussion