Microsoft Security Advisory (979352) – reference the removed element vul,. detection rule

2010년 1월14일 인터넷익스플로러 제로데이 공격이 발견되었습니다.

다음을 참조하십시오.

http://www.microsoft.com/technet/security/advisory/979352.mspx

http://blog.metasploit.com/2010/01/reproducing-aurora-ie-exploit.html

http://wepawet.iseclab.org/view.php?hash=1aea206aa64ebeabb07237f1e2230d0f&type=js

탐지 룰은 다음과 같다.

alert tcp any 80 -> any any (flow:established, to_client; content:”document|2e|getElementById”; nocase; content:”|2e|innerHTML”; distance:0; nocase; pcre:”/document\x2egetElementById\x28\x22[^\r\n\s]+\x22\x29\x2einnerHTML\s*\x3d\s*\x22[^\r\n]+\x22/i”;)

오탐은 존재할 수 있습니다.

실제로 사용된 exploit

alert tcp any 80 -> any any (flow:established, to_client; content:”document|2e|getElementById”; nocase; content:”|2e|innerHTML”; distance:0; nocase; pcre:”/document\x2egetElementById\x28\x22sp1\x22\x29\x2einnerHTML\s*\x3d\s*\x22\x22/i”;)

metasploit exploit

alert tcp any 80 -> any any (flow:established, to_client; content:”document|2e|getElementById”; nocase; content:”|2e|innerHTML”; distance:0; nocase; pcre:”/document\x2egetElementById\x28\x22ktYbCXAzwwtRHBwNbtexeZotNosLJLtghUYkKXQrjFHnBWbkiUkHmYLgYUKbcZuXFEeYgYYDdW\x22\x29\x2einnerHTML\s*\x3d\s*\x22\x22/i”;)

Advertisements

About this entry