.NET text executable (Dot_NET_Shellcode_Detected)

About this signature or vulnerability

RealSecure Network, RealSecure Server Sensor, Proventia Network MFS, Proventia-G 1.1 and earlier, Proventia Network IDS, IBM Security Server Protection for Windows, Proventia Desktop, Proventia Network IPS, Proventia Server IPS for Linux technology, Virtual Server Protection for Vmware:

This event triggers when well known shellcode payloads are detected within .NET IL-only (Intermediate Language only) DLL files.


False positives

RealSecure Network, RealSecure Server Sensor, Proventia Network MFS, Proventia-G 1.1 and earlier, Proventia Network IDS, IBM Security Server Protection for Windows, Proventia Desktop, Proventia Network IPS, Proventia Server IPS for Linux technology, Virtual Server Protection for Vmware: It is unlikely that a .NET Intermediate Language DLL will provide patterns similar to Shellcode instructions. This event does not trigger on DLL files containing only x86 instructions.

False negatives

RealSecure Network, RealSecure Server Sensor, Proventia Network MFS, Proventia-G 1.1 and earlier, Proventia Network IDS, IBM Security Server Protection for Windows, Proventia Desktop, Proventia Network IPS, Proventia Server IPS for Linux technology, Virtual Server Protection for Vmware: As with all other Shell Code related events, it is possible that some patterns will not be detected.

Default risk level

High risk vulnerability  High

Sensors that have this signature

RealSecure Network: XPU 29.090, RealSecure Server Sensor: XPU 29.090, Proventia Network MFS: XPU 29.090, Proventia-G 1.1 and earlier: XPU 29.090, Proventia Network IDS: XPU 29.090, IBM Security Server Protection for Windows: 1.0.914.2430, IBM Security Server Protection for Windows: 2.0.300.2430, IBM Security Server Protection for Windows: 2.1.14.2430, Proventia Desktop: 2430, Proventia Network IPS: XPU 29.090, Proventia Server IPS for Linux technology: 29.090, Virtual Server Protection for Vmware: 1.0

Systems affected

Microsoft .NET Framework

Type

Suspicious Activity

Vulnerability description

This signature detects a shellcode in a .NET binary traversing the network marked as IL-only. A remote attacker can use these types of binaries in browser exploitation to load content to a pre-defined memory location of the attacker's choosing. Under normal circumstances, .NET IL-only binaries should not contain any native executable code.

How to remove this vulnerability

This audit is for informational purposes only.

References

ISS X-Force
.NET text executable
http://www.iss.net/security_center/static/44988.php