Network detection rules for WorldMail 3.0 IMAPD SEH overflow

NullSecurity.net publically released a security advisory on SEH overflow in WorldMail 3.0 IMPAD product.

An attacker could exploit this issue to execute arbitrary code in the context of the application. This may facilitate to the compromise of the application and underlying system. Attackers do not need to authenticate to exploit this vulnerability making its threat level Critical.

Qualcomm has not yet released the fix for this Vulnerability, however below SNORT will be able to detect the exploitation attempt of this vulnerability.

1
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"WorldMail 3.0 BO expoit attempt";content:"a001 LIST"; nocase; offset:0;within:9;fast-pattern:only; isdataat:700,relative; sid:1000004; rev:1;)

Stay safe!

Reference:

Rating 3.00 out of 5

Leave a Reply

This entry was posted on Friday, January 20th, 2012 at 5:02 am and is filed under Exploitation, Snort Signature. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Get Adobe Flash playerPlugin by wpburn.com wordpress themes