Thread-topic: Sourcefire VRT advisory about a vulnerability affecting Microsoft Word documents.
Sourcefire VRT Advisory
Date: 2006-05-26
Synopsis:
The Sourcefire VRT has learned of a vulnerability affecting Microsoft
Word documents.
Details:
The Sourcefire VRT is aware of an issue affecting Microsoft Word
documents. After extensive investigation the VRT recommends not using
your IDS/IPS to detect this fearsome 0day vulnerability and using
instead, Anti-Virus products to detect Microsoft Word files that could
be potentially harmful (since this is what they are designed to do).
The Skinny:
An error in the parsing of Word documents, specifically the SmartTag
data structure, may allow an attacker to execute code of their choosing
on a host.
Detection:
In order to detect a vulnerable document structure, the document itself
must be reconstructed and inspected, this is computationally expensive
and not a worthwhile task for a network intrusion detection or
prevention system.
0Day Usage:
However, the Snort Community ruleset released on 2006-05-24 contains
rules to detect the presence of the Trojan Horse program Ginwui which is
installed by exploit code targeting this vulnerability. Users of these
rules should be aware that they detect a particular instance of
post-compromise behavior and the preferred method for initial
vulnerability exploitation is via Anti-Virus systems.
The Rules:
# DNS Rules submitted by urleet@xxxxxxxxx alert udp $HOME_NET any ->
$EXTERNAL_NET 53 (msg:"COMMUNITY VIRUS Ginwui.B command server dns query
attempt - scfzf.xicp.net"; content:"|01 00|"; offset:2; depth:2;
content:"|05|scfzf|04|xicp|03|net";threshold: type limit, track by_src,
count 1, seconds 360;
reference:url,vil.nai.com/vil/content/v_139545.htm; sid:100000310;
rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"COMMUNITY VIRUS
Ginwui.B command server dns query attempt - localhosts.3322.org";
content:"|01 00|"; offset:2; depth:2;
content:"|0A|localhosts|04|3322|03|org";threshold: type limit, track
by_src, count 1, seconds 360;
reference:url,vil.nai.com/vil/content/v_139545.htm; sid:100000311;
rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"COMMUNITY
VIRUS Ginwui.B POST attempt"; content:"POST|20 2F|"; nocase; depth:6;
content:"Host|3a|"; nocase; content:"scfzf.xicp.net"; nocase;
pcre:"/Host\x3A[^\n\r]+scfzf.xicp.net/smi"; content:"Content-Length|3a
20|0"; nocase; content:"Connection|3a| Keep-Alive"; nocase; threshold:
type limit, track by_src, count 1, seconds 360;
reference:url,vil.nai.com/vil/content/v_139545.htm; sid:100000312;
rev:1;)
Bad Word File Detector:
The Sourcefire VRT has also released a command line tool to check the
structure of a Microsoft Word document to determine if the document
contains a SmartTag structure that could be leveraged as an exploitation
vector for this vulnerability.
