Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC: Snort Denial of Service Vulnerability - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Snort Denial of Service Vulnerability

Earlier Monday, announced a vulnerability in the 2.x series of open source IDS software.  The vulnerability was found in the PrintTcpOptions() function and could allow an attacker to use a malformed, crafted TCP/IP packet to cause a DoS in Snort.  These vulnerabilities involve NULL pointer dereferences which should mean that only a Denial of Service is possible.

JustinF noted earlier today that the original advisory that I grabbed from the site was not completely accurate. You _do not_ have to be running snort with the -v flag set as there are other execution paths that lead to the PrintTcpOptions() function.  Noteably, the PrintIPPacket() can be used to call the vulnerable function.  This requires you to jump through a few requirements like the packet can not be a fragment[1], and its protocol is TCP.  (For those looking at the code from cvs, this takes a couple levels of following the code to see this connection.)

Justin noted that using the "-A fast", those logging in ASCII mode, and the frag3 and stream4 preprocessors have some potential to get one to the PrintTcpOptions() as well as the initially reported -v flag.

He also noted that there are several bugs in PrintTCPOptions() which is apparent by the changes made to the source which includes nearly all of the TCP options, not just SACK.

Thanks Justin for looking closely at the code and bringing it to our attention.

Fix and Workaround Details:
A fix for this vulnerability was checked into the Snort 2.4 CVS tree on August 23rd, 2005 and is available for download here. This fix will also be included in the upcoming 2.4.1 release.

Proof of Concept Released:

In addition, proof of concept code has been released concerning this vulnerability. 

Snort News
VulnFact Advisory
FRSIRT Bulletin

Scott Fendley, Handler on Duty


191 Posts
ISC Handler
Sep 13th 2005

Sign Up for Free or Log In to start participating in the conversation!