SHELLCODE: Base64 X86 NOOP Detection Over TCP-CTS (4)
This signature detects payloads being transferred over network that have been using base64 x86 NOOP. This may be an indication of someone trying to evade anti-virus/IPS solutions and possibly drop malicious code.
Extended Description
Multiple buffer overflows in kpagrdr.dll 2.0.0.2 and 10.3.0.0 in the Applix Presents reader in Autonomy (formerly Verity) KeyView, as used by IBM Lotus Notes, Symantec Mail Security, and activePDF DocConverter, allow remote attackers to execute arbitrary code via a .ag file with (1) a long ENCODING attribute in a *BEGIN tag, (2) a long token, or (3) the initial *BEGIN tag.
Affected Products
Autonomy keyview
References
CVE: CVE-2007-5544
URL: https://github.com/Supervisor/supervisor/issues/964 https://www.debian.org/security/2017/dsa-3942 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11610 https://github.com/phith0n/vulhub/tree/master/supervisor/CVE-2017-11610 http://www-1.ibm.com/support/docview.wss?uid=swg21271111 http://vuln.sg/lotusnotes702wpd-en.html https://www-304.ibm.com/support/docview.wss?uid=swg21500034 http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=904 http://www-1.ibm.com/support/docview.wss?rs=463&uid=swg21298453 http://www-1.ibm.com/support/docview.wss?rs=899&uid=swg21271111 http://vuln.sg/lotusnotes702mif-en.html
Short Name
SHELLCODE:X86:BASE64-NOOP-CTS-4
Severity
Critical
Recommended
False
Recommended Action
None
Category
SHELLCODE
Keywords
(4) Base64 CVE-2007-5405 CVE-2007-5544 CVE-2011-1213 Detection NOOP Over TCP-CTS X86 bid:26175 bid:28454 bid:48018
Release Date
12/06/2016
Supported Platforms
srx-branch-12.3
srx-19.3
srx-branch-19.3
vsrx3bsd-19.2
srx-branch-19.4
vsrx-19.4
mx-12.3
mx-19.4
vmx-19.4
mx-19.3
vsrx3bsd-19.4
srx-19.4
vsrx-12.3
vmx-19.3
vsrx-19.2
srx-12.3
Sigpack Version
3704
Port
TCP/0-79,81-442,444-3127,3129-7999,8001-8079,8081-65535
False Positive
Rarely
Vendors
Activepdf
Autonomy
Symantec
Ibm