[Snort-sigs] SID 4638

Paul Schmehl pauls at ...1311...
Fri Jun 1 14:37:14 EDT 2007

I'm trying to figure out what the exploit is for this rule, and the FrSIRT 
"explanation" is a bit of a headscratcher.

Here's the rule:

alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"EXPLOIT RSVP Protocol 
zero length object DoS attempt"; content:"|01|"; depth:1; offset:11; 
byte_test:1,<,4,13; pcre:"/^.{10}[\x14\x15]\x01.{1}[\x00-\x03]/sm"; 
classtype:attempted-dos; sid:4638; rev:3; )

Here's FrSIRT's explanation of the vulnerability:

"A new vulnerability was identified in tcpdump, which may be exploited by 
attackers to conduct a denial of service. This flaw resides in the 
"rsvp_print()" function and occurs when decoding specially crafted Resource 
ReSerVation Protocol (RSVP) packets, which may be exploited to crash a 
vulnerable application."

I don't have access to the exploit code, so I can't see exactly what it 
does, but I'm thinking that for this to work remotely tcpdump must be 
running on the target box, right?  That seems like a bit of a crap shoot to 
me, yet we're getting some alerts on this, meaning that it's being actively 
launched on the internet.  The src IPs and ports and dst IPs and ports are 
all over the map, making it look like a botnet-generated attack against a 
broad range of hosts.

Paul Schmehl (pauls at ...1311...)
Senior Information Security Analyst
The University of Texas at Dallas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pkcs7-signature
Size: 3701 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20070601/58e17e8c/attachment.bin>

More information about the Snort-sigs mailing list