Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
551
Views
0
Helpful
2
Replies

Custom Signature for AOL Instant Messenger Overflow

anthall
Level 1
Level 1

‎01-02-2002 01:44 PM - edited ‎03-08-2019 09:29 PM

Below is a custom signature for the recent AOL instant messenger buffer overflow referenced by the group w00w00's recent posting to bugtraq and NTbugtraq. The information is presented as a 'SigWizMenu' screenshot. The signature can be added to a sensor using the 'SigWizMenu' tool. Please see the sensor release notes for more information regarding adding custom signatures.

This signature is slated to be included with the Signature Update S14.

Tune Signature Parameters : CSIDS Signature Wizard

___________________________________________________________________________

Current Signature: Engine STRING.TCP SIGID 20004

SigName: AIM overflow

___________________________________________________________________________

0 - Edit ALL Parameters

1 - AlarmInterval =

2 - AlarmThrottle = FireOnce

3 - ChokeThreshold =

4 - Direction = ToService

5 - FlipAddr =

6 - LimitSummary =

7 - MaxInspectLength =

8 - MinHits = 1

9 - MinMatchLength = 500

10 - MultipleHits =

11 * RegexString = [Mm][Aa][Ii][Mm][:].*[\r\n]

12 - ResetAfterIdle = 15

13 - ServicePorts = 5190

14 - SigComment =

15 - SigName = AIM overflow

16 - SigStringInfo = Maim: <500+ chars>

17 - StripTelnetOptions =

18 - ThrottleInterval =

19 - WantFrag =

d - Delete a value

u - UNDO and continue

x - SAVE and continue

___________________________________________________________________________

Selection>

Labels:
0 Helpful
2 Replies 2

crossmanj
Level 1
Level 1

‎01-04-2002 08:44 AM

Like many other security professionals, I am active on several forums. And when I had a chance to share this data, I lept at the chance. In the past year, y'all have done a wonderful job getting current and timely custom signatures out to us.

I received this feedback, however, and I wanted to forward it back to y'all - especially since I had started to look at all the ports AIM uses yesterday. Here's the comments I received. I look forward to your response:

"I was looking at the signature you sent... and i just wanted to let you know i saw a few flaws with it. First, aim can run on any port. I've seen people set it to port 23 and 80 to get around firewalls. I'm personally not using 5190 for aim either. We use a different port in our environment. I'm also not sure what "maim:" will detect, but i'm not that familiar with the protocol. The snort signature is

alert tcp [64.12.163.0/24,205.188.9.0/24] any -> $HOME_NET any \ (msg:"EXPERIMENTAL MISC AIM AddGame attempt"; flags:A+; \ content:"aim\:AddGame?"; nocase; \ reference:url,www.w00w00.org/files/w00aimexp/; \ reference:bugtraq,3769; classtype:misc-attack; \ sid:1393; rev:3;)

which just looks for "aim\:AddGame?" in the packet.

I would check with your vendor about getting a better signature if you can."

0 Helpful

klwiley
Cisco Employee
Cisco Employee
In response to crossmanj

‎01-04-2002 10:31 AM

With the exception of the port limitation our signature is not as specific as the snort signature nor will it alarm on any attempt to use the add game feature which may be benign in nature. So the formation of the signature is better for avoiding false positives. It will catch any attempt to overflow the buffers with any of the other functions as the exploit specified that this attacked addgame specifically yet other functions were potentially exploitable.

If you wish to have the sensor apply this to all ports or a list of ports it can be done. Unfortunately to listen on all ports we will have to work around a bug in our parser that we just found when testing this example.

To listen on all ports in SigWizMenu first modify the settings on the AIM signature that you have deployed. You will want to modify entry 13 which corresponds to the ports. The value you will want to place there is 1-32776,32778-65535. Then you will need to add another signature just like the first only set the port to 32777. The two of these combine will cover all ports.

If you want to listen on some other list of ports you can combine ranges such as 1-24,26-32,35778,62432 or what ever combination you wish as long as the range or the list does not contain 32777. This port must be in a separate signature of it's own. That is the bug that I mentioned.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents