Re: Signature for new PDF XSS

rnaydenov · ‎01-08-2007

Hi,

Has someone been able to make an IPS signature for the new PDF XSS?

I have tried something on the http service engine, but I'm having troubles specifying the # symbol as well as the multiple characters that may be anything.

craiwill · ‎01-08-2007

We are currently looking into several new PDF vulnerabilities for inclusion in an official signature update. In the meantime, you should consider using the string-tcp engine ?from-service? on #webports for a custom signature. The easiest way to encode most characters is to use the hex ASCII (ex: \x20 for space) representation or enclose them in a character class ([ ]). If you can provide any additional information into which specific vulnerability/exploit your trying to address I may be able to be of more assistance.

rnaydenov · ‎01-08-2007

I am referring to following vulnerability:

http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here

craiwill · ‎01-09-2007

In this case I think I would write a return web signature so that we detect malicious incoming web pages (instead of ones that have been clicked).

I would consider something along the following lines:

String.tcp

From service

Port: #WEBPORTS

Summary Mode: Summarize

Summary Key: Axxx

Event Key: Axxx

[Hh][Rr][Ee][Ff][=][\x22\x60][Hh][Tt][Tt][Pp][:]\x2f\x2f[^\x0d\x0a\x3e\x7e-\xff]+[.][Pp][Dd][Ff][\x23][^\x0d\x0a\x3e\x7e-\xff]+[=][Jj][Aa][Vv][Aa][Ss][Cc][Rr][Ii][Pp][Tt]\x3a