Quicktime 7.3.1 is now available from Apple's download servers. This update contains a fix for the Content-Type RTSP header overflow covered here previously. Currently it does not appear to be published in the Apple Software Update, but I would expect to see it there soon.

SANS ISC is now reporting that the Apple Quicktime Content-Type Overflow that I've written about exensively is now being actively exploited in the wild. This is not surprising - this is easy to exploit, affects multiple platforms, and still hasn't been patched.

SANS posts a number of workarounds, all which center around disabiling Quicktime or blocking the traffic, none of which are going to be very effective. Below I discuss the problems with the current suggestions, and another possible workaround.

In response to my previous posts I received a very nice request to explain the construction of the Quicktime content-type overflow rules. Everytime I write a Snort rule I learn something about the protocol or Snort, so it's worth it to me to dig a bit deeper. What follows is a discussion of the process I use to construct a complex rule.

A few more things about the Quicktime 0-day.

First, the Snort rules have been tested. The corrected rules are attached to this post.

Second, I knew I felt déjà vu over this one. Back in 2002 there was an Content-Type vulnerability in the Japanese localized Quicktime 5.01 and 5.02 (see CVE entry CVE-2002-0252). You'd think that things would improve in the intervening 5 years.

I've updated the signature to (hopefully) avoid HTTP response splitting detection avoidance:

alert tcp $EXTERNAL_NET $(RTSP_PORTS:-554) -> $HOME_NET any
(msg: "Apple Quicktime RTSP flow classification";
flow: established,to_client; 
flowbits:isnotset,is_proto_rtsp;
content: "rtsp/"; nocase; depth: 5;
flowbits:noalert; flowbits:set,is_proto_rtsp;
classtype:not-suspicious; sid: 1071101; rev: 2;)

alert tcp $EXTERNAL_NET $(RTSP_PORTS:-554) -> $HOME_NET any
(msg: "Apple Quicktime RTSP Content-Type overflow attempt";
flow: established,to_client; 
flowbits:isset,is_proto_rtsp; 
content: "Content-Type: "; nocase;
content:!"|0A|"; within: 50;
reference: url,www.kb.cert.org/vuls/id/659761;
reference: url,www.milw0rm.com/exploits/4657;
classtype: attempted-user;sid: 1071102; rev: 1;)

Another 0-day in the wild, it must be Tuesday.

This time it is in Apple Quicktime, and a patch is not available from Apple as of this writing. Quicktime self updates (along with an annoying offer to also install iTunes), so it should be patched widely once an update is available.

I've written an as-yet untested (YMMV) Snort signature to detect this:

Ankylosaurus was a 4-ton herbivore that lived about 65 million years ago at the end of the Cretaceous Period. Representing the pinnacle of evolution in dinosaur defense, Ankylosaurus was a veritable tank. These wide and low dinos were covered with armor plates which were used together to form a nearly impenatrable shell. They featured triangular horns on their heads and a large, club-like tail. Their leathery skin was covered with spikes, which even covered their eyelids.

What does the Ankylosaurus have to do with modern security? There's probably some lessons we can learn from them. Their skulls were so thick that some scientists think that their brains were no larger than a golf ball, and as such, they were one of the least intelligent dinosaurs. Further, the fusion of the bones in their backs and necks helped prevent attack, but they probably couldn't even lift their heads to reach food above ground level. And despite their formidable defenses, none of them survived past the K–T extinction event.

Attached is a presentation I gave to the St. Louis Security Group on Intrusion Detection with Snort.  In the presentation I covered the basics of IDS, and an overview of Snort.

Cisco has advised about multiple vulnerabilities affecting 7.1 and 7.2 PIX and ASA firewall appliances.

The LDAP vulnerability can result in unauthenticated remote access if a 7.2 code firewall is configured for L2TP or remote management access.

The VPN vulnerabilities can result in system DoS if a version 7.1 or 7.2 firewall is configured for VPN with password expiration or SSL VPN termination.

Every organization needs a security policy.  The security policy forms the basis for efforts to secure a network and should outline what the company expects.  Cisco has introduced a free tool that will generate a security policy based on the answers to some basic questions.  If your organization doesn't currently have a security policy in place, I suggest you check it out!  Of course, any discussion about policy generation should also include a link to the SANS Institute Security Policy project - an excellent collection of advice and templates.