Threat Level: green Handler on Duty: Jan Kopriva

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Snort Denial of Service Vulnerability

Published: 2005-09-13
Last Updated: 2005-09-13 23:33:59 UTC
by Scott Fendley (Version: 2)
0 comment(s)

Earlier Monday, Snort.org announced a vulnerability in the 2.x series of open source IDS software.  The vulnerability was found in the PrintTcpOptions() function and could allow an attacker to use a malformed, crafted TCP/IP packet to cause a DoS in Snort.  These vulnerabilities involve NULL pointer dereferences which should mean that only a Denial of Service is possible.  Additionally, proof of concept code has been released concerning this vulnerability. 

JustinF noted earlier today that the original advisory that I grabbed from the snort.org site may be not completely accurate. You _do not_ have to be running snort with the -v flag set as there are other execution paths that lead to the PrintTcpOptions() function.  Noteably, the PrintIPPacket() can be used to call the vulnerable function.  This requires you to jump through a few requirements like the packet can not be a fragment[1], and its protocol is TCP.  (For those looking at the code from cvs, this takes a couple levels of following the code to see this connection.)

Justin noted that using the "-A fast", those logging in ASCII mode, and the frag3 and stream4 preprocessors have some potential to get one to the PrintTcpOptions() as well as the initially reported -v flag.  Some of these appear to be pretty difficult to exploit, or are not typically used in a production environment.  However, they are noted in case someone is attempting to use them in a production environment.

Additionally, Justin noted that there were a number of changes to the code involving the TCP options including that of SACK. Much of these changes were made to prevent other NULL pointer dereferences from being possible per Marty Roesch's post located at SecurityFocus.

Thanks to all of the people that have offered their input to the above.

Fix and Workaround Details:
A fix for this vulnerability was checked into the Snort 2.4 CVS tree on August 23rd, 2005 and is available for download here. This fix will also be included in the upcoming 2.4.1 release. 

References:
Snort News
VulnFact Advisory
FRSIRT Bulletin
SecurityFocus

------------
Scott Fendley, Handler on Duty



Keywords:
0 comment(s)
Diary Archives