[Snort-devel] help I'm stuck inside spp_stream4.c and can't get out.

Mike Chandler mchandl1 at ...1977...
Sat Jun 28 14:57:08 EDT 2003

O.K.  I'm probably going to get rightously flamed for this email but I'm running out of time and I need to ask someone.  I'm a SANS GCIA student, trying to prepare my paper for a GIAC certification.  I thought I would write about the Integer Overflow in Stream4 (remember http://www.coresecurity.com/common/showdoc.php?idx=313&idxseccion=10)?  It seemed like a good example to hold up and show people why they need use a receive only cable on their IDS.  If someone can find an overflow in a well written program like Snort, then using a tap or receive only cable is only sensible.

I can't write much about the overflow without being able to reproduce it.  I've tried both the core security example using hping and I tried the exploit at http://www.packetstormsecurity.nl/filedesc/p7snort191.sh.html .  Neither seemed to work.  I spent a good deal of time looking at Snort's code and it appears to me that neither the example nor the exploit should work.  It looks to me that the only way to get Snort to call TraverseFunc is complete a tcp/ip handshake (SYN, SYN/ACK, ACK,) and have the -d flag set when starting Snort.

I know this is asking a lot, but surely everyone has updated their version of Snort by now.  Would somebody please tell me if my evaluation is correct?   I don't work with C code every day and it would take a long time for me to verify my findings and then learn how to write a raw IP or libpcap program that actually works.  That is time I don't have.  I wouldn't publish the exploit just the tcpdump of the exploit happening. 

Please tell me if I'm doing something wrong with the example code or if I'm correct and that I should start looking at writing a libpcap program to deliver the overflow.  I have a habit of obsessing about something like this.  I'm not going to be able to move on until I can extract myself from the code.


Mike Chandler,  GCIA, CCNA, and soon to be former CNE/CNA

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20030628/f49694fe/attachment.html>

More information about the Snort-devel mailing list