3552.txt

snort入侵检测规则文件2.4 Snort是众所周知的网络入侵检测工具

Rule: 

--
Sid: 
3552

-- 
Summary: 
This event is generated when an attempt is made to exploit a known
vulnerability in Microsoft Windows.

-- 
Impact: 
Serious. Code execution may be possible.

--
Detailed Information:
Microsoft Windows has design errors that may enable an attacker to
execute code of their choosing on a vulnerable system. Specifically, it
is possible to execute code from objects not marked as executable.

Microsoft OLE2 allows objects to be executed by integrating
applications. The Class ID (CLSID) of an object allows objects to be
loaded by multiple applications. This CLSID is embedded in the object
and may be manipulated by an attacker to force an application into
executing code of the attackers choosing.

Specifically, the CLSID can be made to point at the Microsoft HTML
Application Host (MSHTA). MSHTA.EXE will process each line of a file and
execute any script code it finds.

--
Affected Systems:
	All versions of Microsoft Windows

--
Attack Scenarios: 
An attacker could modify the CLSID of a document and provide a link to
the victim who could then access and execute the code without being
aware of what has happened.

-- 
Ease of Attack: 
Difficult.

-- 
False Positives:
None known.

--
False Negatives:
None known.

-- 
Corrective Action: 
Apply the appropriate vendor supplied patch

Upgrade to the latest non-affected version of the software.

--
Contributors:
Sourcefire Vulnerability Research Team
Brian Caswell <bmc@sourcefire.com>
Nigel Houghton <nigel.houghton@sourcefire.com>

-- 
Additional References:

iDefense:
http://www.idefense.com/application/poi/display?id=231&type=vulnerabilities

Microsoft:
http://www.microsoft.com/technet/security/bulletin/MS05-016.mspx

--