1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
|
Rule:
--
Sid:
2706
--
Summary:
This event is generated when an attempt is made to exploit a known
vulnerability in Microsoft GDI using a malformed JPEG image.
This rule does not generate an event, however, Sid 2707 depends
on this rule to function properly.
--
Impact:
Serious. Execution of arbitrary code is possible. Denial of Service
(DoS),
--
Detailed Information:
The Microsoft Graphics Device Interface contains a programming error
in the handling of Joint Photographics Experts Group (JPEG) files. This
error may allow an attacker to execute code of their choosing on a
vulnerable system.
Due to the popularity of jpeg files, and in order to provide accurate
detection for the GDI JPEG vulnerability, sid 2705 may generate false
positive events in certain situations. Since this rule may generate
a number of false positives it is disabled by default.
In order to avoid potential evasion techniques, http_inspect should be
configured with "flow_depth 0" so that all HTTP server response traffic is
inspected.
WARNING
Setting flow_depth 0 will cause performance problems in some situations.
WARNING
--
Affected Systems:
All Microsoft systems including multiple Microsoft products
--
Attack Scenarios:
An attacker would need to supply a malformed jpeg image to a victim and
have the use attempt to view the file.
--
Ease of Attack:
Medium.
--
False Positives:
False positive events are known to occur with this rule, the incidence
is low but may be an inconvenience in some installations.
--
False Negatives:
None known.
--
Corrective Action:
Apply the appropriate vendor supplied patches.
--
Contributors:
Sourcefire Vulnerability Research Team
Brian Caswell <bmc@sourcefire.com>
Alex Kirk <alex.kirk@sourcefire.com>
Nigel Houghton <nigel.houghton@sourcefire.com>
--
Additional References:
--
|
