Sorry, it's documented in new PAM documentation (KB #2190). I have been working with old one... It's my mistake.
Thanks a lot! --- Sergey > -----Original Message----- > From: Means, David (ISS Atlanta) [mailto:[EMAIL PROTECTED] > Sent: Friday, May 12, 2006 8:21 PM > To: Soldatov, Sergey V. > Subject: RE: [ISSForum] HTML_Mshtml_Overflow > > Sergey: > > The tuning param you're looking for is pam.html.mshtml.bo > > It should be documented in the help, if its' not, please le > me know and I'll open a change request. > > > David Means > Team Lead / X-Force PAM Development > Internet Security Systems > 6303 Barfield Road > Atlanta, GA. 30328 > Office: 404-236-2842 > > -----Original Message----- > From: [EMAIL PROTECTED] On Behalf Of > Soldatov, Sergey V. > Sent: Thursday, May 11, 2006 8:43 AM > To: [EMAIL PROTECTED] > Subject: Re: [ISSForum] HTML_Mshtml_Overflow > > > Jason, > Thanks very much for your explanation! > I think that ISS should give us a pam parameter to configure > number of scrip action handlers (in this case I simply > increase this param) or somehow rewrite signature to reduce a > number of false positives. > > Thanks again. > Good luck! > > -- Sergey > > > > -----Original Message----- > > From: Jason Baeder [mailto:[EMAIL PROTECTED] > > Sent: Monday, May 08, 2006 7:13 PM > > To: Soldatov, Sergey V.; [email protected] > > Subject: Re: [ISSForum] HTML_Mshtml_Overflow > > > > This bit from the CVE entry makes for interesting reading: > > > > 'Buffer overflow in mshtml.dll in Microsoft Internet Explorer > > 6.0.2900.2180, and probably other versions, allows remote > attackers to > > execute arbitrary code via an HTML tag with a large number > of script > > action handlers such as onload and onmouseover, as > demonstrated using > > onclick, aka the "Multiple Event Handler Memory Corruption > > Vulnerability." ' > > > > There is demo page here: > > http://lcamtuf.coredump.cx/iedie.html > > > > Some code from the page looks like this: > > > > <html><body><img > > src=http://lcamtuf.coredump.cx/photo/current/m2A.jpg><foo > > onclick=bork onclick=bork onclick=bork onclick=bork onclick=bork > > onclick=bork onclick=bork onclick=bork onclick=bork onclick=bork > > onclick=bork onclick=bork onclick=bork......... > > > > > > It is possible that ISS is counting "large number[s] of > script action > > handlers" in web pages (those "onclick" actions > > above) and false positives come from either 1) alerting on too few > > actions*, or 2) alerting on the right number of actions, > but they are > > in non-malicious web pages. > > > > *There doesn't seem to be agreeement on how many is too many. > > > > In this case, there is probably no way to distinguish the malicious > > page from the non-malicious automagically. I see a lot of these > > events from web-based mail sites (like Yahoo), online shopping and > > travel sites, and other feature-rich sites. The key here is > > "feature-rich site"; lots of buttons and actions. With > this and other > > similar sigs, it takes an alert (pun intended) analyst to > 1) weed out > > the innocuous sites, 2) correllate any malicious activity from the > > target after the event occurred (assuming it does something > to attract > > the attention of the IDS), and 3) confirm that the target host is > > patched to current. > > > > Interestingly, we also see alerts for this sig from traffic between > > our inbound mail gateway and the spam-scrubbers. I haven't > seen the > > spam itself, but I'm guessing maybe it was HTML-based(??). > And, yes, > > that would mean that ISS is analyzing SMTP traffic with this > > signature. > > > > Jason > > > > --- "Soldatov, Sergey V." <[EMAIL PROTECTED]> wrote: > > > > > I see HTML_Mshtml_Overflow event generated from: > > > 62.140.23.27 > > > 81.177.28.61 > > > > > > Why? Is that false posititves? How to configure > > HTML_Mshtml_Overflow > > > signature to mitigate such FPs? How does > HTML_Mshtml_Overflow work? > > > What > > > does it search for? > > > > > > Thanks. > > > > > > --- > > > Best regards, Sergey V. Soldatov. > > > Information security department. > > > tel/fax +7 495 745 89 50 > > > tel +7 495 777 77 07 (1613) > > > > > > > > > _______________________________________________ > > > ISSForum mailing list > > > [email protected] > > > > > > TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to > > > https://atla-mm1.iss.net/mailman/listinfo/issforum > > > > > > To contact the ISSForum Moderator, send email to > > [EMAIL PROTECTED] > > > > > > The ISSForum mailing list is hosted and managed by Internet > > Security > > > Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328. > > > > > > > > > __________________________________________________ > > Do You Yahoo!? > > Tired of spam? Yahoo! Mail has the best spam protection around > > http://mail.yahoo.com > > > > > _______________________________________________ > ISSForum mailing list > [email protected] > > TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to > https://atla-mm1.iss.net/mailman/listinfo/issforum > > To contact the ISSForum Moderator, send email to [EMAIL PROTECTED] > > The ISSForum mailing list is hosted and managed by Internet Security > Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328. > > > _______________________________________________ ISSForum mailing list [email protected] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum To contact the ISSForum Moderator, send email to [EMAIL PROTECTED] The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.
