Tuesday, February 13, 2007

Not What Marty Had In Mind...

Even though it has the reputation of being the more secure browser of the two, early versions of Firefox lack a feature that IE has had for a long time - automatic updates. The end result is that there are probably some old, vulnerable versions of Firefox running on your network. So, I wrote some Snort signatures to take a quick poll for old versions of Firefox. Not what your IDS was intended for, but it works. (And it's cheaper than a software management rootkit like Unicenter or Altiris.)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"LOCAL Vulnerable Firefox Version 1.5"; content:"User-Agent|3A|"; pcre:"/Firefox\/1.5.0.[0-6]/"; sid:9000040; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"LOCAL Vulnerable Firefox Version 1.0"; content:"User-Agent|3A|"; content:"Firefox/1.0"; sid:9000041; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"LOCAL Vulnerable Firefox Version 0.x"; content:"User-Agent|3A|"; content:"Firefox/0."; sid:9000042; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"LOCAL Vulnerable Firefox Version 0.9.2"; content:"User-Agent|3A|"; content:"Firefox 0.9"; sid:9000043; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"LOCAL Vulnerable Firefox Version Mozilla 7"; content:"User-Agent|3A|"; content:"Firefox 7"; sid:9000044; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"LOCAL Vulnerable Firefox Version 0.9.3"; content:"User-Agent|3A|"; content:"Firefox_123"; sid:9000045; rev:1;)


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"LOCAL Vulnerable Firefox Version 1.1"; content:"User-Agent|3A|"; content:"Firefox/1.1"; sid:9000046; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"LOCAL Vulnerable Firefox Version 1.2"; content:"User-Agent|3A|"; content:"Firefox/1.2"; sid:9000047; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"LOCAL Vulnerable Firefox Version 1.4"; content:"User-Agent|3A|"; content:"Firefox/1.4"; sid:9000048; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"LOCAL Vulnerable Firefox Version 1.5 RC"; content:"User-Agent|3A|"; content:"Firefox/1.5 RC"; sid:9000049; rev:1;)


Since these signatures look for the User-Agent client header, these will alert on every HTTP request from an old version, so these can be very, very noisy. I recommend turning them on, getting a list of machines, turning them off, getting those browsers upgraded; lather, rinse, repeat.

No comments:

Post a Comment