Solved: MS IE toStaticHTML String Parsing Cross-Site Scripting Vulnerability alarms

Sebastien Barbereau · ‎10-25-2010

Hi,

I was wondering if someone else has noted an increase in false positives concerning the following 2 events:

- Microsoft Internet Explorer toStaticHTML String Parsing Cross-Site Scripting Vulnerability

- Microsoft Office Excel Ghost Record Parsing Arbitrary Code Execution Vulnerability

Obvisouly I see these events because the signature has been introduced recently!!!

But I wonder if these alarms I'm getting are genuine (and I have a big problem), or if the signature needs to be 'tuned' by Cisco to be a bit less sensitive?

Anyone has experienced something similar or can shed a light?

Thanks,

seb.

Christopher Dreier · ‎01-05-2011

Hello Seb,

As a follow-up to this thread, we have identified a false positive in signature 30419 and have corrected the signature. The signature change is currently in review and will likely make it into the signature update that releases next week.

Please let me know if I can help you with anything further within the context of this thread. If your question has been Answered, please mark the thread as such so that it will be helpful to other users. Also, please feel free to Rate this thread to reflect your experience.

Thank you,

Blayne Dreier

Cisco TAC Escalation Team

**Please check out our Podcasts**

TAC Security Show: http://www.cisco.com/go/tacsecuritypodcast

TAC IPS Media Series: https://supportforums.cisco.com/community/netpro/security/intrusion-prevention?view=tags&tags=tac_ips_media_series

View solution in original post

Christopher Dreier · ‎11-06-2010

Hello Seb,

I have not personally seen an attempted exploit for these two vulnerabilities on my IPS. Can you please provide a packet capture of the offending traffic - either by logging the attacker/victim pair with a signature action or Event Action Override? We can then review the traffic and compare it to what the signature is meant to match.

Are you seeing 26401/0, 30419/0, and 30659/0 fire? Are you seeing any additional signatures fire?

Thank you,

Blayne Dreier

Cisco TAC Escalation Team

**Please check out our Podcasts**

TAC Security Show: http://www.cisco.com/go/tacsecuritypodcast

TAC IPS Media Series: https://supportforums.cisco.com/community/netpro/security/intrusion-prevention?view=tags&tags=tac_ips_media_series

Sebastien Barbereau · ‎11-09-2010

Hi,

thanks for the feedback. I will enable packet captures for the offending actions (currently this is running through our Mars server and i just have a partial dump).

Sig 30419 is the only one I am seeing fired with one of our servers being the source of the event. Most of the "clients" are baidu and google webcrawlers, but I also see a couple of 'normal' clients.

Partial dump from "attacker" (our server)

0000  65 29 7b 20 2f 2f 76 33  2e 30 0d 0a 20 20 65 76  e){ //v3.0..  ev
0010  61 6c 28 74 61 72 67 2b  22 2e 6c 6f 63 61 74 69  al(targ+".locati
0020  6f 6e 3d 27 22 2b 73 65  6c 4f 62 6a 2e 6f 70 74  on='"+selObj.opt
0030  69 6f 6e 73 5b 73 65 6c  4f 62 6a 2e 73 65 6c 65  ions[selObj.sele
0040  63 74 65 64 49 6e 64 65  78 5d 2e 76 61 6c 75 65  ctedIndex].value
0050  2b 22 27 22 29 3b 0d 0a  20 20 69 66 20 28 72 65  +"'");..  if (re
0060  73 74 6f 72 65 29 20 73  65 6c 4f 62 6a 2e 73 65  store) selObj.se
0070  6c 65 63 74 65 64 49 6e  64 65 78 3d 30 3b 0d 0a  lectedIndex=0;..
0080  7d 0d 0a 2f 2f 2d 2d 3e  0d 0a 3c 2f 73 63 72 69  }..//-->..............<
00a0  73 74 79 6c 65 20 74 79  70 65 3d 22 74 65 78 74  style type="text
00b0  2f 63 73 73 22 20 6d 65  64 69 61 3d 22 73 63 72  /css" media="scr
00c0  65 65 6e 22 3e 0d 0a 0d  0a 40 74 64 20 69 6d 67  een">....@td img
00d0  20 7b 64 69 73 70 6c 61  79 3a 20 62 6c 6f 63 6b   {display: block
00e0  3b 7d 40 69 6d 70 6f 72  74 20 75 72 6c 28 22 20  ;}@import url(" 
00f0  70 37 74 70 2f 70 37 74  70 5f 30 31 2e 63 73 73  p7tp/p7tp_01.css

Partial dump from "client":

0000  47 45 54 20 2f 20 48 54  54 50 2f 31 2e 31 0d 0a  GET / HTTP/1.1..
0010  41 63 63 65 70 74 3a 20  74 65 78 74 2f 2a 0d 0a  Accept: text/*..
0020  55 73 65 72 2d 41 67 65  6e 74 3a 20 6f 42 6f 74  User-Agent: oBot
0030  0d 0a 48 6f 73 74 3a 20  ab ab ab ab ab ab ab ab  ..Host: abcabcab
0040  ab ab ab ab ab ab ab ab  ab ab ab ab ab ab ab ab  cabcabcabcab.abc
0050  ab ab ab 2e ab ab ab 0d  0a 43 61 63 68 65 2d 43  abc.abc..Cache-C
0060  6f 6e 74 72 6f 6c 3a 20  6e 6f 2d 63 61 63 68 65  ontrol: no-cache
0070  0d 0a 0d 0a                                       ....

Thanks,

seb.

Christopher Dreier · ‎11-29-2010

Hello Seb,

Since I don't have the entire transmission, I can't tell what exactly is commented out in regard to the

............

Christopher Dreier · ‎01-05-2011

Hello Seb,

As a follow-up to this thread, we have identified a false positive in signature 30419 and have corrected the signature. The signature change is currently in review and will likely make it into the signature update that releases next week.

Please let me know if I can help you with anything further within the context of this thread. If your question has been Answered, please mark the thread as such so that it will be helpful to other users. Also, please feel free to Rate this thread to reflect your experience.

Thank you,

Blayne Dreier

Cisco TAC Escalation Team

**Please check out our Podcasts**

TAC Security Show: http://www.cisco.com/go/tacsecuritypodcast

TAC IPS Media Series: https://supportforums.cisco.com/community/netpro/security/intrusion-prevention?view=tags&tags=tac_ips_media_series

Sebastien Barbereau · ‎01-05-2011

Thanks for the feedback.