RE: 7-ZIP ARJ Archive Processing stack overflow - Is there any role for Network IPS?
- From: "Oleg Kolesnikov x 133" <okolesnikov@xxxxxxxxxxxx>
- Date: Thu, 15 Mar 2007 18:06:34 -0400
Hello,
Which security solutions are expected to catch these kinds of attacks?
NIPS and HIPS. O# on a tangent, the vulnerability is in a fixed stack-based buffer of ~2.5k allocated for one of the values extracted from the ARJ file header. Kernel32.Readfile() is then used to load the buffer.
To illustrate, a HIPS should be able to stop the attack with a canary/integrity check. A generic behaviour-based HIPS should also be able to detect the attack for payloads that do not involve mimicry.
There are fewer options with NIPS, but there are things that can be done to provide protection (see below).
It seems that NIPS/NIDS solution typically check for buffer overflow attacks at protocol level, but not at the
file/archive level. If so, is it fair to assume that only security solutions running, on the client machine, catch >these kjinds of attacks. Any insight is appreciated.
Not exactly. Many modern NIPS do provide protection against this and other client-side attacks. In this particular case, it is sufficient to parse local ARJ file headers checking for an overly large local header size.
Sincerely,
Oleg Kolesnikov
Director of Security Research
TopLayer, Inc.
-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx
[mailto:listbounce@xxxxxxxxxxxxxxxxx]On Behalf Of Surya Batchu
Sent: Thursday, March 15, 2007 1:07 AM
To: focus-ids@xxxxxxxxxxxxxxxxx
Subject: 7-ZIP ARJ Archive Processing stack overflow - Is there any role
for Network IPS?
Hi,
Please see this advisory: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2005-3051
This attack can be launched remotely by sending specially crafted data in archived file.
Which security solutions are expected to catch these kinds of attacks? It seems that NIPS/NIDS solution typically check for buffer overflow attacks at protocol level, but not at the file/archive level. If so, is it fair to assume that only security solutions running, on the client machine, catch these kjinds of attacks. Any insight is appreciated.
Thanks
Surya
____________________________________________________________________________________
It's here! Your new message!
Get new email alerts with the free Yahoo! Toolbar.
http://tools.search.yahoo.com/toolbar/features/mail/
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------
- References:
- Prev by Date: Re: 7-ZIP ARJ Archive Processing stack overflow - Is there any role for Network IPS?
- Next by Date: Re: 7-ZIP ARJ Archive Processing stack overflow - Is there any role for Network IPS?
- Previous by thread: Re: 7-ZIP ARJ Archive Processing stack overflow - Is there any role for Network IPS?
- Next by thread: Re: 7-ZIP ARJ Archive Processing stack overflow - Is there any role for Network IPS?
- Index(es):
Relevant Pages
|
