SNORT Rules for CVE-2011-3416

Just before we say good bye to 2011, Microsoft released a security bulletin for escalation of privileges vulnerability in .Net Framework.

NIST describe the vulnerability as – The Forms Authentication feature in the ASP.NET subsystem in Microsoft .NET Framework 1.1 SP1, 2.0 SP2, 3.5 SP1, 3.5.1, and 4.0 allows remote authenticated users to obtain access to arbitrary user accounts via a crafted username, aka “ASP.Net Forms Authentication Bypass Vulnerability.”

Microsoft has patched the vulnerability and released the updates as well.

As the exploit attempts can be detected on wire, below is my version of Snort rule which will help detect exploitation attempt of this vulnerability.

1
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:" Attempt of ASP.Net Forms Authentication Bypass Vulnerability"; flow:to_server,established; content:"POST"; nocase; http_method; content:"Content-Type|3A| application|2F|x-www-form-urlencoded"; nocase; http_header; content:"CreateUserStepContainer|25|24|";nocase; fast_pattern:only; http_client_body; pcre:"/UserName=[\w\x2E\x2D\x5F]+(%00)/OPsmi"; reference:"http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3416"; classtype:misc-activity; sid:1000029;rev:1;)

Please do let me know if above rule can be fine-tuned and improved.

Further reading:

Rating 3.00 out of 5

Leave a Reply

This entry was posted on Thursday, January 5th, 2012 at 12:37 am and is filed under Information Security, Snort Signature, Web Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Get Adobe Flash playerPlugin by wpburn.com wordpress themes