Hello, >Which security solutions are expected to catch these kinds of attacks?
NIPS and HIPS. O# on a tangent, the vulnerability is in a fixed stack-based buffer of ~2.5k allocated for one of the values extracted from the ARJ file header. Kernel32.Readfile() is then used to load the buffer. To illustrate, a HIPS should be able to stop the attack with a canary/integrity check. A generic behaviour-based HIPS should also be able to detect the attack for payloads that do not involve mimicry. There are fewer options with NIPS, but there are things that can be done to provide protection (see below). >It seems that NIPS/NIDS solution typically check for buffer overflow attacks >at protocol level, but not at the >file/archive level. If so, is it fair to assume that only security solutions >running, on the client machine, catch >these kjinds of attacks. Any insight is >appreciated. Not exactly. Many modern NIPS do provide protection against this and other client-side attacks. In this particular case, it is sufficient to parse local ARJ file headers checking for an overly large local header size. Sincerely, Oleg Kolesnikov Director of Security Research TopLayer, Inc. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Surya Batchu Sent: Thursday, March 15, 2007 1:07 AM To: [email protected] Subject: 7-ZIP ARJ Archive Processing stack overflow - Is there any role for Network IPS? Hi, Please see this advisory: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2005-3051 This attack can be launched remotely by sending specially crafted data in archived file. Which security solutions are expected to catch these kinds of attacks? It seems that NIPS/NIDS solution typically check for buffer overflow attacks at protocol level, but not at the file/archive level. If so, is it fair to assume that only security solutions running, on the client machine, catch these kjinds of attacks. Any insight is appreciated. Thanks Surya ____________________________________________________________________________________ It's here! Your new message! Get new email alerts with the free Yahoo! Toolbar. http://tools.search.yahoo.com/toolbar/features/mail/ ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------ ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
