MS12-020 Vulnerabilities in Remote Desktop Could Allow Remote Code Execution (2671387) detection rules -rev:3
MS 2012 3월 보안공지 취약점 중, 크리티컬이 나왔군요.
RDP 취약점을 이용하여 코드 실행을 할 수 있다라는겁니다.
관련 내용은 다음 링크
http://support.microsoft.com/kb/2621440
http://technet.microsoft.com/ko-kr/security/bulletin/ms12-020
RDP 패킷에서 특정 바이트의 값이 underflow되면 취약점을 발생시킵니다.
그동안에 POC를 분석한결과 다음룰을 적용할 수 있습니다.
alert tcp any any -> any 3389 (flow:to_server, established; content:”|03 00|”; depth:2; content:”|7F 65 82|”; content:”|04 01 01 04 01 01 01|”; distance:0; byte_jump:1,0,relative; content:”|30|”; within:1; byte_jump:1,2,relative; byte_test:1,<,6,-1,relative;)
alert tcp any any -> any 3389 (flow:to_server, established; content:”|03 00|”; depth:2; content:”|7F 65 82|”; content:”|04 01 01 04 01 01 01|”; distance:0; byte_jump:1,0,relative; content:”|30|”; within:1; byte_jump:1,0,relative; content:”|30|”; within:24; byte_jump:1,0,relative; content:”|30|”; within:24; byte_jump:1,2,relative; byte_test:1,<,6,-1,relative;)
About this entry
You’re currently reading “MS12-020 Vulnerabilities in Remote Desktop Could Allow Remote Code Execution (2671387) detection rules -rev:3,” an entry on Snort rules
- 게시일:
- 3월 15, 2012 / 6:08 오후
- 카테고리:
- Hot issue
- 태그:
asc3tic
hhkim84
kimms17
kooja
regexkorea
답글 5개
Jump to comment form | comment rss [?] | trackback uri [?]