[Snort-devel] clobbered memory structures used by stream4 Version 1.8.1-beta5 (Build 59)

Phil Wood cpw at ...86...
Sat Jul 28 16:41:53 EDT 2001


Marty,

I hope this is not one of my false alarms.  However, hang on a little bit.

Facts:

  Two different PC's snorting the same network (arpanet and radiocity).
  Clocks are in sync.
  Both have Gige cards
  Two core dumps one on each machine at the same time.
  Both machines are running Version 1.8.1-beta5 (Build 59)
  arpanet is 7.0, radiocity is 6.2
  The libpcap is mine and identical on both systems.
  Both machines have same packet, and identical core files in respect to
    the data being examined and where they died.

What I think so far:
  
The dataPtr in the ssn->server structure looks like data 0x31312720 and
not a memory pointer.  In fact if you take the contents of ssn->server:

print ssn->server
$5 = {ip = 1932009588, port = 25705, state = 44 ',', isn = 1932289129, 
  current_seq = 1634625385, base_seq = 1701999988, last_ack = 1835627564, 
  win_size = 29541, pkts_sent = 539586669, bytes_sent = 1431060822, data = {
    root = 0x28205345, cmp = 0x2c273327, count = 892413728, flags = 55 '7'}, 
  dataPtr = 0x3227202c}

and convert to hex to run through a handydandy hextotex you get something
that look an awful lot like maybe some kind of sound file?

  73282074  6469732C  6469616E  67696572  75746D69 : s( tdis,diangierutmi :
  742C7365  2029706D  554C4156  28205345  2c273427 : t,se )pmULAV( SE,'4' :
  39372720                                         : 97'                  :

The packet looks possibly hand crafted.

Not a lot to go on, but I think better that my last one.  %^)

Phil

============================================================================
Version 1.8.1-beta5 (Build 59)
Fault on arpanet @ Jul 28 11:17
#0  ubi_btKillTree (RootPtr=0x3227202c, FreeNode=0x807b51c <KillSpd>)
    at ubi_BinTree.c:906
906       {
(gdb) up
#1  0x807b05c in AlertFlushStream (p=0xbffff1f8, session=0x87fff50)
    at spp_stream4.c:2295
2295        (void)ubi_trKillTree(Root, KillSpd);
(gdb) print *p
$1 = {pkth = 0xbffff6d8, pkt = 0x4062b042 "", fddihdr = 0x0, fddisaps = 0x0, 
  fddisna = 0x0, fddiiparp = 0x0, fddiother = 0x0, trh = 0x0, trhllc = 0x0, 
  trhmr = 0x0, sllh = 0x0, eh = 0x4062b042, vh = 0x0, ehllc = 0x0, 
  ehllcother = 0x0, ah = 0x0, iph = 0x4062b050, orig_iph = 0x0, 
  ip_options_len = 0, ip_options_data = 0x0, tcph = 0x4062b064, 
  orig_tcph = 0x0, tcp_options_len = 0, tcp_options_data = 0x0, udph = 0x0, 
  orig_udph = 0x0, icmph = 0x0, orig_icmph = 0x0, ext = 0x0, 
  data = 0x4062b078 "cko\n\001\001(\037", dsize = 3, frag_flag = 0 '\000', 
  frag_offset = 0, mf = 0 '\000', df = 0 '\000', rf = 0 '\000', sp = 31337, 
  dp = 515, orig_sp = 0, orig_dp = 0, caplen = 0, URI = {uri = 0x0, 
    length = 0}, ssnptr = 0x87fff50, ip_options = {{code = 0 '\000', len = 0, 
      data = 0x0} <repeats 40 times>}, ip_option_count = 0, 
  ip_lastopt_bad = 0 '\000', tcp_options = {{code = 0 '\000', len = 0, 
      data = 0x0} <repeats 40 times>}, tcp_option_count = 0, 
  tcp_lastopt_bad = 0 '\000', csum_flags = 0 '\000', packet_flags = 4, 
  wire_packet = 0 '\000'}
(gdb)  x/16 p->pkt
0x4062b042:     0xcd1d0000      0x6000fd46      0x00875083      0x00450008
0x4062b052:     0x00002b00      0x060e0000      0xffff9128      0xa580ffff
0x4062b062:     0x697a9803      0x00000302      0x00000000      0x14500000
0x4062b072:     0xb8dc0000      0x6b630000      0x01010a6f      0x4e001f28

  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  | VER=4 | IHL=5 | ROU | | | | | | Total Length = 43             |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  | Identification = 0            | | | | Fragment Offset = 0     |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  |    TTL=14     | Protocol = 6  | Header Checksum = 10385       |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  | Source Address  = 255.255.255.255                             |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  | Destination Address  = 128.165.3.152                          |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        RFC793: TRANSMISSION CONTROL PROTOCOL, September 1981
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  | Source Port = 31337           | Destination Port = 515        |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  | Sequence Number = 0                                           |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  | Acknowledgment Number = 0                                     |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  | OFF=5 | | | | | | | |A| |R| | |  Window = 0                   |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  | Checksum = 56504              | Urgent Pointer = 0            |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                                Data
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  :  636b6f0a  0101281f  004e                  : cko   (  N       :
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-

==========================================================================
Version 1.8.1-beta5 (Build 59)
Fault on radiocity @ Jul 28 11:17

#0  ubi_btKillTree (RootPtr=0x31312720, FreeNode=0x807f7cc <KillSpd>)
    at ubi_BinTree.c:906
#1  0x807f373 in AlertFlushStream (p=0xbfffef7c, session=0x86e7cd0)
    at spp_stream4.c:2295
#2  0x80593f4 in Preprocess (p=0xbfffef7c) at rules.c:3439
#3  0x804c790 in ProcessPacket (user=0x0, pkthdr=0xbffff468, pkt=0x40a9f672 "")
    at snort.c:519
#4  0x808123c in packet_ring_recv ()
#5  0x8081574 in pcap_read ()
#6  0x8082313 in pcap_loop ()
#7  0x804de87 in InterfaceThread (arg=0x0) at snort.c:1450
#8  0x804c674 in main (argc=20, argv=0xbffff65c) at snort.c:452
(gdb) print *FreeNode
$1 = {void ()} 0x807f7cc <KillSpd>
(gdb) print *P             
$1 = {Link = {0x4015dd68, 0x4015dd68, 0x204f544e}, gender = 101 'e', 
  balance = 118 'v'}

(gdb) up
#1  0x807f373 in AlertFlushStream (p=0xbfffef7c, session=0x86e7cd0)
    at spp_stream4.c:2295
2295        (void)ubi_trKillTree(Root, KillSpd);
(gdb) print *p
$2 = {pkth = 0xbffff468, pkt = 0x40a9f672 "", fddihdr = 0x0, fddisaps = 0x0, 
  fddisna = 0x0, fddiiparp = 0x0, fddiother = 0x0, trh = 0x0, trhllc = 0x0, 
  trhmr = 0x0, sllh = 0x0, eh = 0x40a9f672, vh = 0x0, ehllc = 0x0, 
  ehllcother = 0x0, ah = 0x0, iph = 0x40a9f680, orig_iph = 0x0, 
  ip_options_len = 0, ip_options_data = 0x0, tcph = 0x40a9f694, 
  orig_tcph = 0x0, tcp_options_len = 0, tcp_options_data = 0x0, udph = 0x0, 
  orig_udph = 0x0, icmph = 0x0, orig_icmph = 0x0, ext = 0x0, 
  data = 0x40a9f6a8 "cko\n\001\001(\037", dsize = 3, frag_flag = 0 '\000', 
  frag_offset = 0, mf = 0 '\000', df = 0 '\000', rf = 0 '\000', sp = 31337, 
  dp = 515, orig_sp = 0, orig_dp = 0, caplen = 0, URI = {uri = 0x0, 
    length = 0}, ssnptr = 0x86e7cd0, ip_options = {{code = 0 '\000', len = 0, 
      data = 0x0} <repeats 40 times>}, ip_option_count = 0, 
  ip_lastopt_bad = 0 '\000', tcp_options = {{code = 0 '\000', len = 0, 
      data = 0x0} <repeats 40 times>}, tcp_option_count = 0, 
  tcp_lastopt_bad = 0 '\000', csum_flags = 0 '\000', packet_flags = 4, 
  wire_packet = 0 '\000'}
(gdb) x/ p->data
0x40a9f6a8:     0x0a6f6b63
(gdb) print p->pkth
$3 = (struct pcap_pkthdr *) 0xbffff468
(gdb) print *p->pkth
$4 = {ts = {tv_sec = 996340635, tv_usec = 277459}, caplen = 57, len = 57, 
  ifindex = 0, protocol = 8, pkt_type = 3 '\003'}
(gdb) x/16 p->pkt
0x40a9f672:     0xcd1d0000      0x6000fd46      0x00875083      0x00450008
0x40a9f682:     0x00002b00      0x060e0000      0xffff9128      0xa580ffff
0x40a9f692:     0x697a9803      0x00000302      0x00000000      0x14500000
0x40a9f6a2:     0xb8dc0000      0x6b630000      0x01010a6f      0x4e001f28
(gdb)    

  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  | VER=4 | IHL=5 | ROU | | | | | | Total Length = 43             |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  | Identification = 0            | | | | Fragment Offset = 0     |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  |    TTL=14     | Protocol = 6  | Header Checksum = 10385       |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  | Source Address  = 255.255.255.255                             |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  | Destination Address  = 128.165.3.152                          |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        RFC793: TRANSMISSION CONTROL PROTOCOL, September 1981
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  | Source Port = 31337           | Destination Port = 515        |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  | Sequence Number = 0                                           |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  | Acknowledgment Number = 0                                     |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  | OFF=5 | | | | | | | |A| |R| | |  Window = 0                   |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  | Checksum = 56504              | Urgent Pointer = 0            |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                                Data
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  :  636b6f0a  0101281f  004e                  : cko   (  N       :
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

#2  0x80593f4 in Preprocess (p=0xbfffef7c) at rules.c:3439
3439                AlertFlushStream(p, p->ssnptr);
(gdb) list
3434
3435            if(retval && 
3436               !(p->packet_flags & PKT_REBUILT_STREAM))
3437            {
3438                /* flush any stream that this packet is associated with */
3439                AlertFlushStream(p, p->ssnptr);
3440            }
3441        }
3442
3443        if(otn_tmp != NULL)
(gdb) print p->ssnptr
$6 = (void *) 0x86e7cd0

(gdb) down
#1  0x807f373 in AlertFlushStream (p=0xbfffef7c, session=0x86e7cd0)
    at spp_stream4.c:2295
2295        (void)ubi_trKillTree(Root, KillSpd);
(gdb) print ssn->server
print ssn->server
$7 = {ip = 1932009588, port = 25705, state = 44 ',', isn = 1932289129, 
  current_seq = 1634625385, base_seq = 1701999988, last_ack = 1835627564, 
  win_size = 29541, pkts_sent = 539586669, bytes_sent = 1431060822, data = {
    root = 0x28205345, cmp = 0x2c273427, count = 959915808, flags = 51 '3'}, 
  dataPtr = 0x31312720}

(gdb) list
2290
2291
2292
2293    void DeleteSpd(ubi_trRootPtr Root, int log)
2294    {
2295        (void)ubi_trKillTree(Root, KillSpd);
2296    }
2297
2298
2299    int GetDirection(Session *ssn, Packet *p)
(gdb) down 
#0  ubi_btKillTree (RootPtr=0x31312720, FreeNode=0x807f7cc <KillSpd>)
    at ubi_BinTree.c:906
906       {
(gdb) list
901        *           root.  This function will return NULL only if P is NULL.
902        *  Note:    In general, you will be passing in the value of the root field
903        *           of an ubi_btRoot structure.
904        * ------------------------------------------------------------------------ **
905        */
906       {
907       return( SubSlide( P, ubi_trLEFT ) );
908       } /* ubi_btFirst */
909
910     ubi_btNodePtr ubi_btLast( ubi_btNodePtr P )
(gdb) print *P
$4 = {Link = {0x4015dd68, 0x4015dd68, 0x204f544e}, gender = 101 'e', 
  balance = 118 'v'}


-- 
Phil Wood, cpw at ...86...





More information about the Snort-devel mailing list