Sonicwall Signatures

Category: MISC

Misc Category Description

This SonicWALL IPS signature category consists of a group of signatures that can detect and prevent traffic related to miscellaneous attacks. There are two main types of exploits in this category affecting a wide range of software with similar functionalities. The first type of exploit takes advantage of a file type vulnerability and is usually implemented using a corrupted file. The second type of exploit attempts to take advantage of a vulnerability in a server service and is usually implemented through a malformed request. If either of these exploits succeeds, a remote attacker can gain control of a machine on the network or cause it to crash.

The file type exploits usually take advantage of an unchecked buffer in the programs that process particular files. The highest profile vulnerability to such an exploit was discovered recently in JPEG images when handled by the Windows GDI graphical subsystem. JPEG images with malformed headers could be mishandled by this Windows component and cause the computer to crash, or in certain instances where the JPEG header was maliciously engineered, cause the computer to execute bytecode that the attacker included in the file. Similar vulnerabilities exist with compressed ZIP files, or more generically with files described by ASN.1 (Abstract Syntax Notation), which tells systems how to handle and decode particular types of data after transfers. These file type exploits can be especially dangerous because the user intervention associated with triggering these exploits are not usually considered dangerous -- users are likely, for example, to open a JPEG image without considering the possibility that it contains executable byte code. For this reason, keeping these files off of the network before they reach users is the best line of defense.

The server sevice exploits described in this category are designed for a wide range of services handling a number of different protocols. Several of the server attacks described here are relatively trivial, including possible attempts by attackers to log in to servers using brute-force password cracking techniques. However, other exploits involve attempted buffer overflow or format string attacks implemented through maliciously crafted requests that can cause these servers to malfunction or exectuve arbitrary code, giving attackers control over the server. Vulnerable servers protected in this category include those providing bootp, Content Verification (CVS), LDAP, X Window, NNTP, BGP, and other services. Successful attacks on these servers can allow attackers to take control of the compromised servers or cause them to crash, resulting in a denial of service.

SonicWALL Misc signatures are categorized from low- to high-priority depending on the probability of success and the magnitude of the potential impact of the corresponding threats. When enabled for prevention, they can keep malicious file and requests from reaching the network. It should also be noted, however, that patches and software updates are available from the vendors of the above mentioned software that can close the vulnerabilities covered in this section and that these updates should be used in conjunction with SonicWALL signatures to ensure maximum network security.