Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

Cisco Employee

Custom Signature for AOL Instant Messenger Overflow

Below is a custom signature for the recent AOL instant messenger buffer overflow referenced by the group w00w00's recent posting to bugtraq and NTbugtraq. The information is presented as a 'SigWizMenu' screenshot. The signature can be added to a sensor using the 'SigWizMenu' tool. Please see the sensor release notes for more information regarding adding custom signatures.

This signature is slated to be included with the Signature Update S14.

Tune Signature Parameters : CSIDS Signature Wizard

___________________________________________________________________________

Current Signature: Engine STRING.TCP SIGID 20004

SigName: AIM overflow

___________________________________________________________________________

0 - Edit ALL Parameters

1 - AlarmInterval =

2 - AlarmThrottle = FireOnce

3 - ChokeThreshold =

4 - Direction = ToService

5 - FlipAddr =

6 - LimitSummary =

7 - MaxInspectLength =

8 - MinHits = 1

9 - MinMatchLength = 500

10 - MultipleHits =

11 * RegexString = [Mm][Aa][Ii][Mm][:].*[\r\n]

12 - ResetAfterIdle = 15

13 - ServicePorts = 5190

14 - SigComment =

15 - SigName = AIM overflow

16 - SigStringInfo = Maim: <500+ chars>

17 - StripTelnetOptions =

18 - ThrottleInterval =

19 - WantFrag =

d - Delete a value

u - UNDO and continue

x - SAVE and continue

___________________________________________________________________________

Selection>

2 REPLIES
New Member

Re: Custom Signature for AOL Instant Messenger Overflow

Like many other security professionals, I am active on several forums. And when I had a chance to share this data, I lept at the chance. In the past year, y'all have done a wonderful job getting current and timely custom signatures out to us.

I received this feedback, however, and I wanted to forward it back to y'all - especially since I had started to look at all the ports AIM uses yesterday. Here's the comments I received. I look forward to your response:

"I was looking at the signature you sent... and i just wanted to let you know i saw a few flaws with it. First, aim can run on any port. I've seen people set it to port 23 and 80 to get around firewalls. I'm personally not using 5190 for aim either. We use a different port in our environment. I'm also not sure what "maim:" will detect, but i'm not that familiar with the protocol. The snort signature is

alert tcp [64.12.163.0/24,205.188.9.0/24] any -> $HOME_NET any \ (msg:"EXPERIMENTAL MISC AIM AddGame attempt"; flags:A+; \ content:"aim\:AddGame?"; nocase; \ reference:url,www.w00w00.org/files/w00aimexp/; \ reference:bugtraq,3769; classtype:misc-attack; \ sid:1393; rev:3;)

which just looks for "aim\:AddGame?" in the packet.

I would check with your vendor about getting a better signature if you can."

Cisco Employee

Re: Custom Signature for AOL Instant Messenger Overflow

With the exception of the port limitation our signature is not as specific as the snort signature nor will it alarm on any attempt to use the add game feature which may be benign in nature. So the formation of the signature is better for avoiding false positives. It will catch any attempt to overflow the buffers with any of the other functions as the exploit specified that this attacked addgame specifically yet other functions were potentially exploitable.

If you wish to have the sensor apply this to all ports or a list of ports it can be done. Unfortunately to listen on all ports we will have to work around a bug in our parser that we just found when testing this example.

To listen on all ports in SigWizMenu first modify the settings on the AIM signature that you have deployed. You will want to modify entry 13 which corresponds to the ports. The value you will want to place there is 1-32776,32778-65535. Then you will need to add another signature just like the first only set the port to 32777. The two of these combine will cover all ports.

If you want to listen on some other list of ports you can combine ranges such as 1-24,26-32,35778,62432 or what ever combination you wish as long as the range or the list does not contain 32777. This port must be in a separate signature of it's own. That is the bug that I mentioned.

127
Views
0
Helpful
2
Replies