[Snort-sigs] SID 4638

rmkml rmkml at ...324...
Fri Jun 1 16:06:24 EDT 2007


Hi,
maybe exploit on this link ? :
http://www.securityfocus.com/archive/1/396930

Credits:
Crusoe Researches
http://www.Crusoe-Researches.com
contact at ...3281...
=> Crusoe Researches have more than 1985 UNIQ 'snort' rules for Commercial Access
     (Contact me directly if you are interested)

Azwalaro French new nidps open source project
http://www.Crusoe-Researches.com/azwalaro/
azwalaro at ...3281...

Rmkml


On Fri, 1 Jun 2007, Paul Schmehl wrote:

> Date: Fri, 01 Jun 2007 15:01:35 -0500
> From: Paul Schmehl <pauls at ...1311...>
> To: snort-sigs at lists.sourceforge.net
> Subject: Re: [Snort-sigs] SID 4638
> 
> --On Friday, June 01, 2007 14:36:45 -0500 trains <trains at ...2395...> 
> wrote:
>
>> Quoting Paul Schmehl <pauls at ...1311...>:
>> 
>>> I'm trying to figure out what the exploit is for this rule, and the
>>> FrSIRT "explanation" is a bit of a headscratcher.
>>> 
>>> Here's the rule:
>>> 
>>> alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"EXPLOIT RSVP Protocol
>>> zero length object DoS attempt"; content:"|01|"; depth:1; offset:11;
>>> byte_test:1,<,4,13; pcre:"/^.{10}[\x14\x15]\x01.{1}[\x00-\x03]/sm";
>>> reference:url,www.frsirt.com/english/advisories/2005/0411;
>>> classtype:attempted-dos; sid:4638; rev:3; )
>> 
>> It seems to me that to exploit this flaw, the victim would have to be
>> running tcpdump on a router that is running RSVP or possibly sniffing
>> the traffic between two routers running RSVP.
>> 
>> Then by engineering some special RSVP traffic out one router interface
>> the aggressor could crash tcpdump on the other router or on the
>> network monitoring device.
>> 
>> It does seem like a bit of a stretch for a small payoff (crash the
>> tcpdump process).  I suspect if I own one of your routers, you have a
>> way bigger problem than if I decide to crash your network monitor.
>> 
>> I would be included to call it a bad rule.  Can you post the packet
>> traces that are causing it to fire off?
>> 
> Here you go.  I wouldn't call it a "bad" rule.  Not very useful might be a 
> more accurate description.  I can see how it could be used in a directed 
> attack to try and hide traffic, but that's about it.
>
> F1 1D 05 00 00 EA B5 FE 27 00 14 01 00 00 17 4F
> E8 AA FD 3C A1 C5 64 8F 10 C4 F5 08 07 80 A3 2B
> 49 AD B4 71 ED FC FD 67 4B B0 ED 7D 40 73 31 BD
> 77 9F 6E 00 68 4D 00 71 45 F0 1D BE 0C 9A 6C E3
> D0 43 88 75 FB 11 22 5C 57 89 71 88 45 7F 76 AE
> B0 C1 CE 69 B8 F6 5F BA CB BE FA 09 21 F8 FD 15
> D8 DB E2 CB 6A B4 7F 6B A9 4C 40 B1 6D 03 64 03
> 7D BF 26 D3 A8 6B ED C9 FB 63 1A C1 D2 1C 5B A7
> 98 FD CA 3E D6 B3 44 44 06 04 48 3C 02 2D 9A 5A
> DF 8D C8 FB 3E 40 6D D4 73 3F DB 82 13 B8 61 E4
> 8C 24 26 BC 11 57 00 42 2E A7 88 0E E5 68 11 61
> A8 0D 31 D0 A1 9A D0 96 00 38 42 A8 1F 1D 0C 6F
> C5 D1 2B DB 53 3C 28 05 E0 BE 95 91 7E 9E 7B 80
> 16 09 3B 42 71 1D 3C 9C 58 57 D0 82 D2 C3 7B EA
> D3 56 5C E4 38 E4 BF AA 66 FD 8E DC C6 29 37 20
> 81 F1 4F C6 0B 58 EE 79 7A B6 D3 09 23 C0 61 EE
> 25 1C 8E 9A CA 15 5F E1 3D EF DA 73 06 AA 8C 35
> 87 08 9E BF 43 5B EE 87 54 E0 D8 53 2B 0A 74 ED
> 14 7D 22 44 F9 03 BD 40 1E 8E 41 8B E2 62 80 8F
> D3 49 D4 D1 96 E8 4A CB 1B 51 72 9D 2A C8 AB CC
> 86 77 77 77 6D A8 C0 BD 31 3A CA 0A 4C 53 06 EF
> 5E 3F DC 8D 03 44 1F 3A 77 82 74 D5 30 D9 34 DE
> A4 A0 60 1D 68 85 D0 E1 75 75 02 21 BA 65 35 98
> 0B 3D 05 51 AF 33 2C 57 13 E7 A7 8C 90 4C 54 A6
> 09 92 74 E2 11 C0 63 01 65 62 85 9F 39 AE 29 07
> 22 57 4C A0 85 E3 7F 29 DB 8D 00 17 C3 D0 0A D3
> 60 19 0C B9 52 B5 DF 6E 5E 5F C2 1A 00 73 FE 65
> 44 B2 49 8E 7F C6 4B D0 82 55 38 07 0B B6 3C 29
> B9 08 94 9E 19 EE 05 8E 4B 70 64 06 D9 6B 36 81
> 07 4C C1 87 96 3A EA 85 70 BA 9D 57 D3 BF 70 CA
> CB EA BA 29 80 DF 91 C5 E7 E3 1A 81 0C 41 B6 BC
> 74 98 9E 54 9F 9F 52 01 56 98 8C B1 62 A6 97 B9
> 43 0D 86 75 55 DA F6 BD 12 B6 5F BD 48 3F 6A 3D
> 1D 6B FA 96 BD 35 69 FF C5 20 5B F0 AA 4B 8B 05
> 4F F5 10 06 E4 1A E1 B1 D2 E9 10 49 8F EB AC 5C
> BB E9 37 C6 41 F5 43 E8 B7 6A D6 F9 B6 6F 54 B8
> 25 61 7C E6 12 E0 0F 9F 2A 5E 51 D4 DE 69 05 1A
> 0C 66 B1 8B 8E 3C 0B EE 7E 48 84 76 32 0F 47 85
> 65 97 0C 1A A9 4A F0 25 09 D5 1E 4A EA DB 23 94
> 8D 73 BB AB 09 14 DA F2 0B 1D 38 29 A8 2F 99 D9
> B8 4C C4 81 12 27 CF FB 7D 4E 43 48 89 70 D2 57
> D6 23 68 98 0D 6C 3F E3 7D 1A 52 75 B3 7B 47 B6
> 62 F3 E3 34 C8 B9 D4 D9 4A 2B 07 4A 48 88 E2 FB
> 2E 55 86 11 77 77 CC 61 0D 40 E3 B8 1F 2F 6A DB
> 3E F6 75 75 44 92 5E E8 50 4D D3 B6 A3 17 8C 20
> 01 35 A6 3B D2 23 A2 7F 0B 30 4E 29 9F 75 EE 12
> BA D7 19 86 6B 55 D0 C2 FF 39 5A 7D 94 8D 8E 81
> 6F 4D CC 5A 78 B0 B2 19 02 95 A4 77 53 9B D7 1B
> 39 06 71 55 F5 02 43 7E EC 33 D8 D4 B6 29 96 78
> E8 9B A4 3B 90 B8 51 EC D3 2C D0 B0 11 77 FB A5
> 53 CF 07 38 BF 7D D9 4E B1 9E 1C 5F 30 59 E7 D6
> 86 17 A4 AF E4 A1 38 D5 CF A0 2F 1F E9 E3 4B 3E
> 65 3B D1 64 02 93 7A 65 A6 0E 72 C6 4B BE 77 D1
> F0 46 77 8F A9 CF BD 96 5C 18 1E 9D F6 F9 05 C8
> DA F6 82 94 61 18 18 9D 13 9F 33 CC A5 04 CA 32
> A1 4B 86 72 7C 6E 8B 45 E2 11 8E 58 3E 00 5C C7
> 22 08 33 96 74 BB E8 60 26 7E 15 6F 9B E3 50 2D
> 00 0B E7 D9 6A EC 14 B1 DE 90 91 7E 67 42 49 3A
> 24 B9 DF B5 75 B4 AB 00 D4 81 B9 83 CC 17 DA 36
> 4F 9C DA 17 5A A2 6A 9E 89 D1 08 35 AB D7 73 5D
> FA 64 7E 06 86 8F F1 D9 2F 77 CB 32 76 03 3F 0D
> A0 16 E2 12 B4 C7 A8 09 16 BE 12 D9 A6 53 BB B6
> 30 3F C8 9E 40 BB FA 64 D5 22 1E D1 73 48 FE 6E
> 76 24 9E 01 D9 57 47 5D 55 46 3A 8A 19 48 E8 09
> F8 C6 F1 60 40 15 1F 89 1C 30 B2 EC 9E 14 7B F5
> B4 80 7F 9B 76 29 AA E2 9C D6 BE 7D 8E B7 54 0D
> F7 C8 1A FF 5F A9 3A 98 84 18 1B CB 30 38 E5 DF
> 22 D2 F1 9D F8 F0 BE 80 81 0E 1F B4 A1 D4 4C 72
> BE A9 B8 02 8B 4B CE B8 56 D1 9C A2 70 9C ED CF
> 14 5D E0 24 BF D5 49 99 D0 C2 94 A1 70 FE 52 CF
> 40 6A 0F 5D BF 55 96 5B 9B CA AC 05 1D 6B 02 0B
> 5D 1C 06 10 A8 91 1C 86 D6 0B 36 FE 8A 94 7E C9
> 43 3F 5E 1D DF A3 AC 0F 11 26 9A 56 59 52 4F C2
> 81 21 DF 35 38 B8 46 1D 45 52 85 74 EB 58 E3 54
> DC 86 2D F9 63 41 FD 18 EB 83 79 47 3A B9 6F A9
> 8A 30 EA 7B 27 89 04 04 BD F0 E0 07 91 85 A6 9D
> 6D 2D F8 1B 0D DB E5 6F 79 97 D2 F5 22 BC C5 72
> 20 E1 B8 B9 D0 0E 8D 27 81 AF D4 74 E5 A1 9E DF
> 08 CB CE D5 AC 65 8A 89 21 4F 10 CD BA CB 2A 71
> F3 11 60 6E AA FE 1E 5B EA 50 44 CE DC B0 AB 9D
> B3 52 74 91 E0 C1 E7 B8 74 6D 4D DD 2D 9C 6C 22
> 41 CA 3A 83 FF 6D 24 CA 1B CA C3 FA 57 F3 F4 F9
> 3E 72
>
> -- 
> Paul Schmehl (pauls at ...1311...)
> Senior Information Security Analyst
> The University of Texas at Dallas
> http://www.utdallas.edu/ir/security/
>




More information about the Snort-sigs mailing list