Jason, Thanks very much for your explanation! I think that ISS should give us a pam parameter to configure number of scrip action handlers (in this case I simply increase this param) or somehow rewrite signature to reduce a number of false positives.
Thanks again. Good luck! -- Sergey > -----Original Message----- > From: Jason Baeder [mailto:[EMAIL PROTECTED] > Sent: Monday, May 08, 2006 7:13 PM > To: Soldatov, Sergey V.; [email protected] > Subject: Re: [ISSForum] HTML_Mshtml_Overflow > > This bit from the CVE entry makes for interesting reading: > > 'Buffer overflow in mshtml.dll in Microsoft Internet Explorer > 6.0.2900.2180, and probably other versions, allows remote > attackers to execute arbitrary code via an HTML tag with a > large number of script action handlers such as onload and > onmouseover, as demonstrated using onclick, aka the "Multiple > Event Handler Memory Corruption Vulnerability." ' > > There is demo page here: > http://lcamtuf.coredump.cx/iedie.html > > Some code from the page looks like this: > > <html><body><img > src=http://lcamtuf.coredump.cx/photo/current/m2A.jpg><foo > onclick=bork onclick=bork onclick=bork onclick=bork > onclick=bork onclick=bork onclick=bork onclick=bork > onclick=bork onclick=bork onclick=bork onclick=bork > onclick=bork......... > > > It is possible that ISS is counting "large number[s] of > script action handlers" in web pages (those "onclick" actions > above) and false positives come from either 1) alerting on > too few actions*, or 2) alerting on the right number of > actions, but they are in non-malicious web pages. > > *There doesn't seem to be agreeement on how many is too many. > > In this case, there is probably no way to distinguish the > malicious page from the non-malicious automagically. I see a > lot of these events from web-based mail sites (like Yahoo), > online shopping and travel sites, and other feature-rich > sites. The key here is "feature-rich site"; lots of buttons > and actions. With this and other similar sigs, it takes an > alert (pun intended) analyst to 1) weed out the innocuous > sites, 2) correllate any malicious activity from the target > after the event occurred (assuming it does something to > attract the attention of the IDS), and 3) confirm that the > target host is patched to current. > > Interestingly, we also see alerts for this sig from traffic > between our inbound mail gateway and the spam-scrubbers. I > haven't seen the spam itself, but I'm guessing maybe it was > HTML-based(??). And, yes, that would mean that ISS is > analyzing SMTP traffic with this signature. > > Jason > > --- "Soldatov, Sergey V." <[EMAIL PROTECTED]> wrote: > > > I see HTML_Mshtml_Overflow event generated from: > > 62.140.23.27 > > 81.177.28.61 > > > > Why? Is that false posititves? How to configure > HTML_Mshtml_Overflow > > signature to mitigate such FPs? How does HTML_Mshtml_Overflow work? > > What > > does it search for? > > > > Thanks. > > > > --- > > Best regards, Sergey V. Soldatov. > > Information security department. > > tel/fax +7 495 745 89 50 > > tel +7 495 777 77 07 (1613) > > > > > > _______________________________________________ > > ISSForum mailing list > > [email protected] > > > > TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to > > https://atla-mm1.iss.net/mailman/listinfo/issforum > > > > To contact the ISSForum Moderator, send email to > [EMAIL PROTECTED] > > > > The ISSForum mailing list is hosted and managed by Internet > Security > > Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328. > > > > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection > around http://mail.yahoo.com > _______________________________________________ ISSForum mailing list [email protected] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum To contact the ISSForum Moderator, send email to [EMAIL PROTECTED] The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.
