[Snort-sigs] SID 4638

Paul Schmehl pauls at ...1311...
Fri Jun 1 16:01:35 EDT 2007


--On Friday, June 01, 2007 14:36:45 -0500 trains <trains at ...2395...> 
wrote:

> Quoting Paul Schmehl <pauls at ...1311...>:
>
>> I'm trying to figure out what the exploit is for this rule, and the
>> FrSIRT "explanation" is a bit of a headscratcher.
>>
>> Here's the rule:
>>
>> alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"EXPLOIT RSVP Protocol
>> zero length object DoS attempt"; content:"|01|"; depth:1; offset:11;
>> byte_test:1,<,4,13; pcre:"/^.{10}[\x14\x15]\x01.{1}[\x00-\x03]/sm";
>> reference:url,www.frsirt.com/english/advisories/2005/0411;
>> classtype:attempted-dos; sid:4638; rev:3; )
>
> It seems to me that to exploit this flaw, the victim would have to be
> running tcpdump on a router that is running RSVP or possibly sniffing
> the traffic between two routers running RSVP.
>
> Then by engineering some special RSVP traffic out one router interface
> the aggressor could crash tcpdump on the other router or on the
> network monitoring device.
>
> It does seem like a bit of a stretch for a small payoff (crash the
> tcpdump process).  I suspect if I own one of your routers, you have a
> way bigger problem than if I decide to crash your network monitor.
>
> I would be included to call it a bad rule.  Can you post the packet
> traces that are causing it to fire off?
>
Here you go.  I wouldn't call it a "bad" rule.  Not very useful might be a 
more accurate description.  I can see how it could be used in a directed 
attack to try and hide traffic, but that's about it.

F1 1D 05 00 00 EA B5 FE 27 00 14 01 00 00 17 4F
E8 AA FD 3C A1 C5 64 8F 10 C4 F5 08 07 80 A3 2B
49 AD B4 71 ED FC FD 67 4B B0 ED 7D 40 73 31 BD
77 9F 6E 00 68 4D 00 71 45 F0 1D BE 0C 9A 6C E3
D0 43 88 75 FB 11 22 5C 57 89 71 88 45 7F 76 AE
B0 C1 CE 69 B8 F6 5F BA CB BE FA 09 21 F8 FD 15
D8 DB E2 CB 6A B4 7F 6B A9 4C 40 B1 6D 03 64 03
7D BF 26 D3 A8 6B ED C9 FB 63 1A C1 D2 1C 5B A7
98 FD CA 3E D6 B3 44 44 06 04 48 3C 02 2D 9A 5A
DF 8D C8 FB 3E 40 6D D4 73 3F DB 82 13 B8 61 E4
8C 24 26 BC 11 57 00 42 2E A7 88 0E E5 68 11 61
A8 0D 31 D0 A1 9A D0 96 00 38 42 A8 1F 1D 0C 6F
C5 D1 2B DB 53 3C 28 05 E0 BE 95 91 7E 9E 7B 80
16 09 3B 42 71 1D 3C 9C 58 57 D0 82 D2 C3 7B EA
D3 56 5C E4 38 E4 BF AA 66 FD 8E DC C6 29 37 20
81 F1 4F C6 0B 58 EE 79 7A B6 D3 09 23 C0 61 EE
25 1C 8E 9A CA 15 5F E1 3D EF DA 73 06 AA 8C 35
87 08 9E BF 43 5B EE 87 54 E0 D8 53 2B 0A 74 ED
14 7D 22 44 F9 03 BD 40 1E 8E 41 8B E2 62 80 8F
D3 49 D4 D1 96 E8 4A CB 1B 51 72 9D 2A C8 AB CC
86 77 77 77 6D A8 C0 BD 31 3A CA 0A 4C 53 06 EF
5E 3F DC 8D 03 44 1F 3A 77 82 74 D5 30 D9 34 DE
A4 A0 60 1D 68 85 D0 E1 75 75 02 21 BA 65 35 98
0B 3D 05 51 AF 33 2C 57 13 E7 A7 8C 90 4C 54 A6
09 92 74 E2 11 C0 63 01 65 62 85 9F 39 AE 29 07
22 57 4C A0 85 E3 7F 29 DB 8D 00 17 C3 D0 0A D3
60 19 0C B9 52 B5 DF 6E 5E 5F C2 1A 00 73 FE 65
44 B2 49 8E 7F C6 4B D0 82 55 38 07 0B B6 3C 29
B9 08 94 9E 19 EE 05 8E 4B 70 64 06 D9 6B 36 81
07 4C C1 87 96 3A EA 85 70 BA 9D 57 D3 BF 70 CA
CB EA BA 29 80 DF 91 C5 E7 E3 1A 81 0C 41 B6 BC
74 98 9E 54 9F 9F 52 01 56 98 8C B1 62 A6 97 B9
43 0D 86 75 55 DA F6 BD 12 B6 5F BD 48 3F 6A 3D
1D 6B FA 96 BD 35 69 FF C5 20 5B F0 AA 4B 8B 05
4F F5 10 06 E4 1A E1 B1 D2 E9 10 49 8F EB AC 5C
BB E9 37 C6 41 F5 43 E8 B7 6A D6 F9 B6 6F 54 B8
25 61 7C E6 12 E0 0F 9F 2A 5E 51 D4 DE 69 05 1A
0C 66 B1 8B 8E 3C 0B EE 7E 48 84 76 32 0F 47 85
65 97 0C 1A A9 4A F0 25 09 D5 1E 4A EA DB 23 94
8D 73 BB AB 09 14 DA F2 0B 1D 38 29 A8 2F 99 D9
B8 4C C4 81 12 27 CF FB 7D 4E 43 48 89 70 D2 57
D6 23 68 98 0D 6C 3F E3 7D 1A 52 75 B3 7B 47 B6
62 F3 E3 34 C8 B9 D4 D9 4A 2B 07 4A 48 88 E2 FB
2E 55 86 11 77 77 CC 61 0D 40 E3 B8 1F 2F 6A DB
3E F6 75 75 44 92 5E E8 50 4D D3 B6 A3 17 8C 20
01 35 A6 3B D2 23 A2 7F 0B 30 4E 29 9F 75 EE 12
BA D7 19 86 6B 55 D0 C2 FF 39 5A 7D 94 8D 8E 81
6F 4D CC 5A 78 B0 B2 19 02 95 A4 77 53 9B D7 1B
39 06 71 55 F5 02 43 7E EC 33 D8 D4 B6 29 96 78
E8 9B A4 3B 90 B8 51 EC D3 2C D0 B0 11 77 FB A5
53 CF 07 38 BF 7D D9 4E B1 9E 1C 5F 30 59 E7 D6
86 17 A4 AF E4 A1 38 D5 CF A0 2F 1F E9 E3 4B 3E
65 3B D1 64 02 93 7A 65 A6 0E 72 C6 4B BE 77 D1
F0 46 77 8F A9 CF BD 96 5C 18 1E 9D F6 F9 05 C8
DA F6 82 94 61 18 18 9D 13 9F 33 CC A5 04 CA 32
A1 4B 86 72 7C 6E 8B 45 E2 11 8E 58 3E 00 5C C7
22 08 33 96 74 BB E8 60 26 7E 15 6F 9B E3 50 2D
00 0B E7 D9 6A EC 14 B1 DE 90 91 7E 67 42 49 3A
24 B9 DF B5 75 B4 AB 00 D4 81 B9 83 CC 17 DA 36
4F 9C DA 17 5A A2 6A 9E 89 D1 08 35 AB D7 73 5D
FA 64 7E 06 86 8F F1 D9 2F 77 CB 32 76 03 3F 0D
A0 16 E2 12 B4 C7 A8 09 16 BE 12 D9 A6 53 BB B6
30 3F C8 9E 40 BB FA 64 D5 22 1E D1 73 48 FE 6E
76 24 9E 01 D9 57 47 5D 55 46 3A 8A 19 48 E8 09
F8 C6 F1 60 40 15 1F 89 1C 30 B2 EC 9E 14 7B F5
B4 80 7F 9B 76 29 AA E2 9C D6 BE 7D 8E B7 54 0D
F7 C8 1A FF 5F A9 3A 98 84 18 1B CB 30 38 E5 DF
22 D2 F1 9D F8 F0 BE 80 81 0E 1F B4 A1 D4 4C 72
BE A9 B8 02 8B 4B CE B8 56 D1 9C A2 70 9C ED CF
14 5D E0 24 BF D5 49 99 D0 C2 94 A1 70 FE 52 CF
40 6A 0F 5D BF 55 96 5B 9B CA AC 05 1D 6B 02 0B
5D 1C 06 10 A8 91 1C 86 D6 0B 36 FE 8A 94 7E C9
43 3F 5E 1D DF A3 AC 0F 11 26 9A 56 59 52 4F C2
81 21 DF 35 38 B8 46 1D 45 52 85 74 EB 58 E3 54
DC 86 2D F9 63 41 FD 18 EB 83 79 47 3A B9 6F A9
8A 30 EA 7B 27 89 04 04 BD F0 E0 07 91 85 A6 9D
6D 2D F8 1B 0D DB E5 6F 79 97 D2 F5 22 BC C5 72
20 E1 B8 B9 D0 0E 8D 27 81 AF D4 74 E5 A1 9E DF
08 CB CE D5 AC 65 8A 89 21 4F 10 CD BA CB 2A 71
F3 11 60 6E AA FE 1E 5B EA 50 44 CE DC B0 AB 9D
B3 52 74 91 E0 C1 E7 B8 74 6D 4D DD 2D 9C 6C 22
41 CA 3A 83 FF 6D 24 CA 1B CA C3 FA 57 F3 F4 F9
3E 72

-- 
Paul Schmehl (pauls at ...1311...)
Senior Information Security Analyst
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pkcs7-signature
Size: 3701 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20070601/611f4fdd/attachment.bin>


More information about the Snort-sigs mailing list