Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
655
Views
0
Helpful
4
Replies

Microsoft Internet Explorer mshtml.dll createTextRange()

ntrngrusr
Level 1
Level 1

‎03-30-2006 01:25 PM - edited ‎03-10-2019 01:57 AM

Is there a signature to cover this one already because if there is my sensors are not seeing it.

I tested against my lab sensors. The exploit was successful and the sensors did not fire an alert. I ran tcpdump to make sure they were actually seeing it for verification purposes.

Any idea when a sig will be available for this? Right now I have to use Bleeding edge Snort sigs.

Thanks,

Labels:
0 Helpful
4 Replies 4

DFiore
Level 1
Level 1

‎03-30-2006 01:55 PM

I asked this same question a few days ago--- The answer to my post was:

Replied by: wsulym - IPS Signature Engineer, CISCO SYSTEMS - Mar 28, 2006, 11:42am PST

Currently, all exploits we've seen and tested have triggered 5477-2. 5477-2 is a generic sig catching suspicious activity in return web traffic. As of this moment, there are no plans on adding anything additional for this vulnerability.

So you're saying your test failed to make sig 5477 fire off as Cisco says it should?

If this is the case, then we are overdue for S223 by a week at least.

0 Helpful

ntrngrusr
Level 1
Level 1
In response to DFiore

‎03-30-2006 06:48 PM

Yes, that is exactly what I am saying. I used Metasploit for the testing. I could not get any signature to fire. Nor did my bloodhound definitions fire for Symantec AV and the exploit was successful. I did a reverse shell and it worked perfectly. I also downloaded and executed a file (calc.exe) and there was no detection by anything. The tcpdump showed the traffic went past the sensor. Not too sure if the signatures are written for the exploit or the vulnerability but from what my testing showed it did not detect it.

0 Helpful

d-g-c
Level 1
Level 1
In response to ntrngrusr

‎03-31-2006 02:37 AM

I'm seeing 5477-2 firing and assumed that it was the IE exploit trigerring it, this is a concern if it's not the case. Why haven't CISCO responded to this particular threat?

I'm interested in how you tested the exploit, can you provide further info?

0 Helpful

wsulym
Cisco Employee
Cisco Employee
In response to ntrngrusr

‎03-31-2006 01:12 PM

5477-2 should fire off of this traffic, but why it's not firing could be one of a couple things.

First, retire/unretire 5477-2 (Retire, apply changes, Unretire, apply changes). Might be a config issue and this will force a rebuild of that signature in the regex tables.

Second, it could be that the sensor is seeing compressed traffic. In some instances, as in your case, the modules are defaulting to gzipping the traffic for transparent compression... browsers will transparently decompress this data. When compression is applied, the result is that we have a very high entropy return data stream very similar to an encrypted data stream, largely due to the fact that the underlying data is also mostly random itself. We are aware of this and are working on a solution that

will address it. The solution will require modification to the sensor inspection code and has been added to the enhancement list for a future

version.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card