11-04-2010 02:32 PM - edited 03-10-2019 05:10 AM
Seeing this signature firing quite a bit in the past hour. Intially started seeing activity from ASIAPAC and Europe, Now seeing activity from the US.
Told our IPS to drop packets but not alert.
Anyone else seeing this signature fire ?
Ron
11-04-2010 04:27 PM
Yes, we're seeing the same. Started with Signature version 528.0 for us at the noon auto update today. It was frequently blocking http responses from our web server to web clients. We had to disable the signature till we figure out what is going on. The full name of the signature is: Microsoft Internet Explorer Invalid Flag Reference Remote Code Execution Vulnerability
11-04-2010 07:35 PM
Cisco has noted this activity as well:
http://tools.cisco.com/security/center/viewAlert.x?alertId=21736
"Microsoft has indicated that targeted attacks have been observed in the wild. Current exploits may be prevented on Windows systems that implement Data Execution Prevention (DEP). Windows Vista and 7, along with Windows Server 2003 and 2008, incorporate DEP, reducing risk on these systems."
The extra special bonus? No patch is available at the moment ... fun.
"Microsoft has confirmed the vulnerability in a security advisory; however, software updates are not available."
This signature was just added in S528, which rolled out within the last 24 hours. That might explain why you haven't seen it until now.
11-05-2010 06:42 AM
Me too, especially from https://www.google.com/ig
Anybody else?
11-05-2010 08:38 AM
Same here, also lot's of trafic coming from *.live.com
11-05-2010 10:44 AM
Same here. We've been seeing alerts from various websites.
11-05-2010 02:40 PM
We're seeing this signature fire on accessing legitimate websites such as ap.org (Associated Press) and others.
11-06-2010 05:51 PM
Hello tscislaw,
If you are seeing the signature fire on suspected benign traffic, do you mind providing a capture of the trigger packets so that we can compare it to what the signature should match?
Thank you,
Blayne Dreier
Cisco TAC Escalation Team
**Please check out our Podcasts**
TAC Security Show: http://www.cisco.com/go/tacsecuritypodcast
TAC IPS Media Series: https://supportforums.cisco.com/community/netpro/security/intrusion-prevention?view=tags&tags=tac_ips_media_series
11-08-2010 05:52 AM
Blayne,
There's nothing in the trigger packet tab. Here's a copy of the "show all details" on the event for www.ap.org (Associated Press). Also had one this morning for www.netflix.com. It's also copied below.
=======www.ap.org==============
Event ID 1279312152368438939
Severity high
Host ID kscfcu-ips
Application Name sensorApp
Event Time 11/05/2010 17:06:13
Sensor Local Time 11/05/2010 21:06:13
Signature ID 31359
Signature Sub-ID 0
Signature Name Microsoft Internet Explorer Invalid Flag Reference Remote Code Execution Vulnerability
Signature Version S528
Signature Details Microsoft Internet Explorer Invalid Flag Reference Remote Code Execution Vulnerability
Interface Group vs0
VLAN ID 0
Interface ge0_0
Attacker IP 165.1.59.220
Protocol tcp
Attacker Port 80
Attacker Locality OUT
Target IP 223.100.200.142
Target Port 4326
Target Locality OUT
Target OS unknown unknown (unknown)
Actions droppedPacket+deniedAttacker+deniedFlow+tcpOneWayResetSent
Risk Rating TVR=medium
Risk Rating Value 85
Threat Rating 40
Reputation
Context Data From attacker:
Ether: ---- Ethernet2 OSI=2 Frame #1 Captured on 2010-11-05 17:06:13.962 ----
Ether:
Ether: dst = 22:50:37:5f:72:75
Ether: src = 6e:53:63:72:6f:6c
Ether: proto = 0x6c65
Ether:
Data: 0000 72 28 27 70 37 73 63 72 6f 6c 6c 65 72 31 27 2c r('p7scroller1',
Data: 0010 27 52 65 73 75 6d 65 27 2c 27 4d 65 64 69 75 6d 'Resume','Medium
Data: 0020 27 2c 30 2c 30 2c 30 2c 30 29 22 20 6f 6e 43 6c ',0,0,0,0)" onCl
Data: 0030 69 63 6b 3d 22 50 37 5f 74 75 74 70 69 63 28 27 ick="P7_tutpic('
Data: 0040 70 61 67 65 73 2f 63 61 70 74 69 6f 6e 73 2f 62 pages/captions/b
Data: 0050 69 67 70 69 63 36 2e 68 74 6d 27 29 3b 69 66 28 igpic6.htm');if(
Data: 0060 74 68 69 73 2e 62 6c 75 72 29 74 68 69 73 2e 62 this.blur)this.b
Data: 0070 6c 75 72 28 29 3b 72 65 74 75 72 6e 20 66 61 6c lur();return fal
Data: 0080 73 65 22 3e 3c 69 6d 67 20 73 72 63 3d 22 6d 65 se">Data: 00b0 22 6e 65 77 73 70 68 6f 74 6f 22 20 77 69 64 74 "newsphoto" widt
Data: 00c0 68 3d 22 32 39 32 22 20 68 65 69 67 68 74 3d 22 h="292" height="
Data: 00d0 32 30 30 22 20 62 6f 72 64 65 72 3d 22 30 22 3e 200" border="0">
Data: 00e0 3c 2f 61 3e 3c 2f 74 64 3e 0d 0a 3c 2f 74 61 62 ..Data: 00f0 6c 65 le
Data:
From victim:
Ether: ---- Ethernet2 OSI=2 Frame #1 Captured on 2010-11-05 17:06:13.962 ----
Ether:
Ether: dst = 2e:36:20:47:54:42
Ether: src = 37:2e:31:d:a:41
Ether: proto = 0x6363
Ether:
Data: 0000 65 70 74 3a 20 74 65 78 74 2f 68 74 6d 6c 2c 61 ept: text/html,a
Data: 0010 70 70 6c 69 63 61 74 69 6f 6e 2f 78 68 74 6d 6c pplication/xhtml
Data: 0020 2b 78 6d 6c 2c 61 70 70 6c 69 63 61 74 69 6f 6e +xml,application
Data: 0030 2f 78 6d 6c 3b 71 3d 30 2e 39 2c 2a 2f 2a 3b 71 /xml;q=0.9,*/*;q
Data: 0040 3d 30 2e 38 0d 0a 41 63 63 65 70 74 2d 4c 61 6e =0.8..Accept-Lan
Data: 0050 67 75 61 67 65 3a 20 65 6e 2d 75 73 2c 65 6e 3b guage: en-us,en;
Data: 0060 71 3d 30 2e 35 0d 0a 41 63 63 65 70 74 2d 45 6e q=0.5..Accept-En
Data: 0070 63 6f 64 69 6e 67 3a 20 67 7a 69 70 2c 64 65 66 coding: gzip,def
Data: 0080 6c 61 74 65 0d 0a 41 63 63 65 70 74 2d 43 68 61 late..Accept-Cha
Data: 0090 72 73 65 74 3a 20 49 53 4f 2d 38 38 35 39 2d 31 rset: ISO-8859-1
Data: 00a0 2c 75 74 66 2d 38 3b 71 3d 30 2e 37 2c 2a 3b 71 ,utf-8;q=0.7,*;q
Data: 00b0 3d 30 2e 37 0d 0a 4b 65 65 70 2d 41 6c 69 76 65 =0.7..Keep-Alive
Data: 00c0 3a 20 31 31 35 0d 0a 43 6f 6e 6e 65 63 74 69 6f : 115..Connectio
Data: 00d0 6e 3a 20 6b 65 65 70 2d 61 6c 69 76 65 0d 0a 58 n: keep-alive..X
Data: 00e0 2d 4d 6f 7a 3a 20 70 72 65 66 65 74 63 68 0d 0a -Moz: prefetch..
Data: 00f0 0d 0a ..
Data:
Packet Data
Event Summary 0
Initial Alert
Summary Type
Final Alert
Event Status New
Event Notes
=========================================================
==========www.netflix.com===================================
Event ID 1279312152368517485
Severity high
Host ID kscfcu-ips
Application Name sensorApp
Event Time 11/08/2010 08:28:18
Sensor Local Time 11/08/2010 13:28:18
Signature ID 31359
Signature Sub-ID 0
Signature Name Microsoft Internet Explorer Invalid Flag Reference Remote Code Execution Vulnerability
Signature Version S528
Signature Details Microsoft Internet Explorer Invalid Flag Reference Remote Code Execution Vulnerability
Interface Group vs0
VLAN ID 0
Interface ge0_0
Attacker IP 208.75.79.17
Protocol tcp
Attacker Port 80
Attacker Locality OUT
Target IP 223.100.200.101
Target Port 2113
Target Locality OUT
Target OS learned windows-nt-2k-xp (relevant)
Actions droppedPacket+deniedAttacker+deniedFlow+tcpOneWayResetSent
Risk Rating TVR=medium ARR=relevant
Risk Rating Value 95
Threat Rating 50
Reputation
Context Data From attacker:
Ether: ---- Ethernet2 OSI=2 Frame #1 Captured on 2010-11-08 08:28:18.515 ----
Ether:
Ether: dst = 65:6c:65:6d:2e:72
Ether: src = 65:70:6c:61:63:65
Ether: proto = 0x282f
Ether:
Data: 0000 5e 5c 73 2b 2f 2c 22 22 29 2e 73 75 62 73 74 72 ^\s+/,"").substr
Data: 0010 69 6e 67 28 30 2c 31 30 29 2e 74 6f 4c 6f 77 65 ing(0,10).toLowe
Data: 0020 72 43 61 73 65 28 29 3b 76 61 72 20 77 72 61 70 rCase();var wrap
Data: 0030 3d 21 74 61 67 73 2e 69 6e 64 65 78 4f 66 28 22 =!tags.indexOf("
Data: 0040 3c 6f 70 74 22 29 26 26 5b 31 2c 22 3c 73 65 6c
Data: 0060 6c 74 69 70 6c 65 27 3e 22 2c 22 3c 2f 73 65 6c ltiple'>","Data: 0070 65 63 74 3e 22 5d 7c 7c 21 74 61 67 73 2e 69 6e ect>"]||!tags.in
Data: 0080 64 65 78 4f 66 28 22 3c 6c 65 67 22 29 26 26 5b dexOf("
11-09-2010 05:50 AM
We're continuing to get hits on all variety of sites, including internal ones. We've scrubbed our stuff
and haven't found anything. Can anyone confirm that the signature is perhaps being overzealous? I'd rather not mark it as safe and miss something that has a legitimate threat in the wild.
11-09-2010 06:36 AM
Hello,
We need to check on the captures what is triggering the signature, as of yet we need to see them with wireshark to analyze the payload. If possible can anyone providea packet capture of this nature, and also, would you please set some websites exmaples that are triggering the signature?
Thanks.
Mike
11-09-2010 06:39 AM
yimg.com is one site but we also have some internal Solarwinds sites that are getting spiked by this. I'll see if I can release a packet capture to you.
11-09-2010 07:01 AM
Is there somewhere private I can post the capture to?
I have a packet out of IME for both a Solarwinds session and what I think is a web based email session with American University's website.
11-09-2010 07:10 AM
Ok, here's one from Yahoo. I'm not too worried about putting this one out there. I captured this from IME in both the trigger packet and context data tabs:
Ether: ---- Ethernet2 OSI=2 Frame #1 Captured on 2010-11-09 10:06:04.683 ----
Ether:
Ether: dst = 0:1a:6d:ea:4c:72
Ether: src = 0:4:96:27:be:7d
Ether: proto = 0x8100 "(VLAN) IEEE 802.1q"
Ether:
VLAN: ---- IEEE802dot1q IEEE=802.1q OSI=2 ----
VLAN:
VLAN: flags = 0000000000001011 11
VLAN: 000............. 0x0 = [priority]
VLAN: ...0............ 0x0 = [cfi]
VLAN: ....000000001011 11 = [id]
VLAN: type = 0x800 "(IP) Internet protocol (v4 or v6)"
VLAN:
IPv4: ---- IPv4 RFC=791 OSI=3 ----
IPv4:
IPv4: ver = 4 "Internet Protocol version 4"
IPv4: hlen = 5 (20 bytes) "No IP options present"
IPv4: tos = 00000000 0x0
IPv4: 000..... 0x0 = [precedence] "Routine"
IPv4: ...0.... 0x0 = [delay] "Normal delay"
IPv4: ....0... 0x0 = [throughput] "Normal throughput"
IPv4: .....0.. 0x0 = [reliability] "Normal reliability"
IPv4: ......00 0x0 = [reserved]
IPv4: len = 1420 (1400 bytes of data)
IPv4: id = 0xb9c6
IPv4: flags = 010 0x2 (bit fields)
IPv4: 0.. 0x0 = [reserved]
IPv4: .1. 0x1 = [df] "Do not fragment"
IPv4: ..0 0x0 = [mf] "no more fragments"
IPv4: offset = 0 (0 bytes)
IPv4: ttl = 52 (hops)
IPv4: protocol = 6 "(TCP) Transmition Control Protocol (RFC793)"
IPv4: checksum = 0x101b
IPv4: saddr = 98.137.80.33
IPv4: daddr = 192.168.4.56
IPv4:
TCP: ---- TCP RFC=793 OSI=4 ----
TCP:
TCP: sport = 80
TCP: dport = 1041
TCP: seq = 366993190
TCP: ack = 1979566247
TCP: hlen = 5 (20 bytes) "No TCP options present"
TCP: res = 0
TCP: code = 010000 0x10
TCP: 0..... 0x0 = [urg]
TCP: .1.... 0x1 = [ack] "Acknowledgement Field Significant"
TCP: ..0... 0x0 = [psh]
TCP: ...0.. 0x0 = [rst]
TCP: ....0. 0x0 = [syn]
TCP: .....0 0x0 = [fin]
TCP: win = 8767 (bytes)
TCP: crc = 0xe0c5 (CRC-16)
TCP: urg = 0 (byte offset)
TCP:
Data: 0000 20 53 54 59 4c 45 3d 22 76 69 73 69 62 69 6c 69 STYLE="visibili
Data: 0010 74 79 3a 68 69 64 64 65 6e 3b 22 3e 27 3b 63 2b ty:hidden;">';c+
Data: 0020 3d 6a 3b 63 2b 3d 22 3c 49 4d 47 20 6f 6e 4c 6f =j;c+="
Data: 0030 61 64 3d 5c 22 72 65 74 75 72 6e 20 59 41 48 4f ad=\"return YAHO
Data: 0040 4f 2e 53 68 6f 72 74 63 75 74 73 2e 55 74 69 6c O.Shortcuts.Util
Data: 0050 73 2e 72 65 73 69 7a 65 49 6d 61 67 65 54 6f 4d s.resizeImageToM
Data: 0060 61 78 53 69 7a 65 28 74 68 69 73 2c 37 30 2c 37 axSize(this,70,7
Data: 0070 30 2c 27 69 6d 67 64 69 76 5f 22 2b 28 64 2b 70 0,'imgdiv_"+(d+p
Data: 0080 29 2b 27 5c 27 29 3b 22 20 53 52 43 3d 22 27 2b )+'\');" SRC="'+
Data: 0090 66 2b 27 22 20 42 4f 52 44 45 52 3d 30 20 41 4c f+'" BORDER=0 AL
Data: 00a0 54 3d 22 27 2b 75 2b 27 22 3e 27 3b 63 2b 3d 22 T="'+u+'">';c+="
Data: 00b0 3c 2f 41 3e 22 3b 63 2b 3d 22 3c 2f 44 49 56 3e ";c+="
Data: 00c0 22 3b 63 2b 3d 22 3c 2f 54 44 3e 22 3b 63 2b 3d ";c+="";c+=
Data: 00d0 22 3c 2f 54 52 3e 22 3b 76 61 72 20 73 3d 22 22 "";var s=""
Data: 00e0 3b 73 2b 3d 22 3c 54 52 3e 22 3b 73 2b 3d 22 3c ;s+="";s+="<
Data: 00f0 54 44 20 56 41 4c 49 47 4e 3d 6d 69 64 64 6c 65 TD VALIGN=middle
Data: 0100 20 41 4c 49 47 4e 3d 63 65 6e 74 65 72 3e 22 3b ALIGN=center>";
Data: 0110 73 2b 3d 6a 3b 73 2b 3d 62 3b 73 2b 3d 22 3c 2f s+=j;s+=b;s+="Data: 0120 41 3e 22 3b 73 2b 3d 22 3c 2f 54 44 3e 22 3b 73 A>";s+="";s
Data: 0130 2b 3d 22 3c 2f 54 52 3e 22 3b 6b 2b 3d 27 3c 54 +="";k+='
Data: 0140 44 20 41 4c 49 47 4e 3d 63 65 6e 74 65 72 20 56 D ALIGN=center V
Data: 0150 41 4c 49 47 4e 3d 74 6f 70 20 41 4c 49 47 4e 3d ALIGN=top ALIGN=
Data: 0160 63 65 6e 74 65 72 20 53 54 59 4c 45 3d 22 77 69 center STYLE="wi
Data: 0170 64 74 68 3a 27 2b 67 2b 27 22 3e 27 3b 6b 2b 3d dth:'+g+'">';k+=
Data: 0180 27 3c 54 41 42 4c 45 20 43 45 4c 4c 50 41 44 44 '
";k+="
Data: 0190 49 4e 47 3d 30 20 43 45 4c 4c 53 50 41 43 49 4e ING=0 CELLSPACIN
Data: 01a0 47 3d 30 20 48 45 49 47 48 54 3d 22 31 30 30 25 G=0 HEIGHT="100%
Data: 01b0 22 3e 27 3b 6b 2b 3d 63 3b 6b 2b 3d 73 3b 6b 2b ">';k+=c;k+=s;k+
Data: 01c0 3d 22 3c 2f 54 41 42 4c 45 3e 22 3b 6b 2b 3d 22 ="
Data: 01d0 3c 2f 54 44 3e 22 7d 6b 2b 3d 22 3c 2f 54 52 3e "}k+="
Data: 01e0 3c 2f 54 41 42 4c 45 3e 22 3b 6b 2b 3d 22 3c 2f ";k+="Data: 01f0 44 49 56 3e 22 3b 69 66 28 65 29 7b 6b 2b 3d 27 DIV>";if(e){k+='
Data: 0200 3c 44 49 56 20 49 44 3d 22 72 69 67 68 74 41 72
From attacker:
Ether: ---- Ethernet2 OSI=2 Frame #1 Captured on 2010-11-09 10:06:04.683 ---- Ether: ---- Ethernet2 OSI=2 Frame #1 Captured on 2010-11-09 10:06:04.683 ----
Ether:
Ether: dst = 44:3e:22:3b:63:2b
Ether: src = 3d:22:3c:2f:54:52
Ether: proto = 0x3e22
Ether:
Data: 0000 3b 76 61 72 20 73 3d 22 22 3b 73 2b 3d 22 3c 54 ;var s="";s+="
Data: 0010 52 3e 22 3b 73 2b 3d 22 3c 54 44 20 56 41 4c 49 R>";s+="
Data: 0020 47 4e 3d 6d 69 64 64 6c 65 20 41 4c 49 47 4e 3d GN=middle ALIGN=
Data: 0030 63 65 6e 74 65 72 3e 22 3b 73 2b 3d 6a 3b 73 2b center>";s+=j;s+
Data: 0040 3d 62 3b 73 2b 3d 22 3c 2f 41 3e 22 3b 73 2b 3d =b;s+="";s+=
Data: 0050 22 3c 2f 54 44 3e 22 3b 73 2b 3d 22 3c 2f 54 52 "";s+="Data: 0060 3e 22 3b 6b 2b 3d 27 3c 54 44 20 41 4c 49 47 4e >";k+='
Data: 0070 3d 63 65 6e 74 65 72 20 56 41 4c 49 47 4e 3d 74 =center VALIGN=t
Data: 0080 6f 70 20 41 4c 49 47 4e 3d 63 65 6e 74 65 72 20 op ALIGN=center
Data: 0090 53 54 59 4c 45 3d 22 77 69 64 74 68 3a 27 2b 67 STYLE="width:'+g
Data: 00a0 2b 27 22 3e 27 3b 6b 2b 3d 27 3c 54 41 42 4c 45 +'">';k+='
Data: 00b0 20 43 45 4c 4c 50 41 44 44 49 4e 47 3d 30 20 43 CELLPADDING=0 C
Data: 00c0 45 4c 4c 53 50 41 43 49 4e 47 3d 30 20 48 45 49 ELLSPACING=0 HEI
Data: 00d0 47 48 54 3d 22 31 30 30 25 22 3e 27 3b 6b 2b 3d GHT="100%">';k+=
Data: 00e0 63 3b 6b 2b 3d 73 3b 6b 2b 3d 22 3c 2f 54 41 42 c;k+=s;k+="Data: 00f0 4c 45 LE
Data:
From victim:
Ether:
Ether: dst = 6f:6d:70:61:74:69
Ether: src = 62:6c:65:3b:20:4d
Ether: proto = 0x5349
Ether:
Data: 0000 45 20 38 2e 30 3b 20 57 69 6e 64 6f 77 73 20 4e E 8.0; Windows N
Data: 0010 54 20 35 2e 31 3b 20 54 72 69 64 65 6e 74 2f 34 T 5.1; Trident/4
Data: 0020 2e 30 3b 20 47 54 42 36 2e 36 3b 20 28 52 31 20 .0; GTB6.6; (R1
Data: 0030 31 2e 35 29 3b 20 2e 4e 45 54 20 43 4c 52 20 31 1.5); .NET CLR 1
Data: 0040 2e 31 2e 34 33 32 32 3b 20 2e 4e 45 54 20 43 4c .1.4322; .NET CL
Data: 0050 52 20 32 2e 30 2e 35 30 37 32 37 3b 20 49 6e 66 R 2.0.50727; Inf
Data: 0060 6f 50 61 74 68 2e 31 3b 20 2e 4e 45 54 20 43 4c oPath.1; .NET CL
Data: 0070 52 20 33 2e 30 2e 30 34 35 30 36 2e 33 30 3b 20 R 3.0.04506.30;
Data: 0080 2e 4e 45 54 20 43 4c 52 20 33 2e 30 2e 34 35 30 .NET CLR 3.0.450
Data: 0090 36 2e 32 31 35 32 3b 20 2e 4e 45 54 20 43 4c 52 6.2152; .NET CLR
Data: 00a0 20 33 2e 35 2e 33 30 37 32 39 3b 20 49 6e 66 6f 3.5.30729; Info
Data: 00b0 50 61 74 68 2e 32 3b 20 4d 53 2d 52 54 43 20 4c Path.2; MS-RTC L
Data: 00c0 4d 20 38 29 0d 0a 48 6f 73 74 3a 20 6c 2e 79 69 M 8)..Host: l.yi
Data: 00d0 6d 67 2e 63 6f 6d 0d 0a 43 6f 6e 6e 65 63 74 69 mg.com..Connecti
Data: 00e0 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a on: Keep-Alive..
Data: 00f0 0d 0a ..
Data:
11-09-2010 07:11 AM
Would it be possible for you to download that capture in pcap format?
Cheers.
Mike
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide