[Snort-users] [Snort-devel] Calyptix Security Advisory CX-2007-001 - Snort 2.6.1.2 Integer Underflow Vulnerability (fwd)

Martin Roesch roesch at ...1935...
Thu Jan 11 17:45:35 EST 2007


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Long story short, if you're running the experimental GRE decoder you  
should update, otherwise you're fine.

	-Marty

On Jan 11, 2007, at 1:31 PM, rmkml wrote:

> Calyptix Security Advisory CX-2007-001
> Date: 01/11/2007
> http://www.calyptix.com/
> http://labs.calyptix.com/advisories/CX-2007-01.txt
>
> [ Overview ]
>
> Snort 2.6.1.2 is vulnerable to an integer underflow that allows a
> remote attacker to cause Snort to read beyond a specified length of
> memory, potentially corrupting logfiles.
>
> [ Risk ]
>
> Calyptix Security has classified this vulnerability as 'Low Risk' as
> the vulnerable code will not be compiled by default. Please see the
> analysis section for more details.
>
> [ Patch / Fix / Workaround ]
>
> Sourcefire has released a fix for this vulnerability in Snort's  
> current CVS
> tree.
>
> [ Analysis ]
>
> Snort 2.6.1.2 has support for decoding the Generic Routing
> Encapsulation (GRE) protocol. GRE is used to encapsulate arbitrary
> protocols to a remote host. The vulnerability in Snort's parsing
> engine is located in the function DecodeGRE() in decode.c
>
> ==BEGIN CODE==
> ...
> (line 3459 decode.c)
> void DecodeGRE(u_int8_t *pkt, const u_int32_t len, Packet *p)
> {
>      u_int8_t flags;
>      u_int32_t hlen;    /* GRE header length */
>      u_int32_t payload_len;
> ...
> payload_len = len - hlen;	(calculation for payload_len is done here)
> ...
> switch (ntohs(p->greh->ether_type))	(line 3597 decode.c)
>      {
> ...
>          default:			(line 3625 decode.c)
>              pc.other++;
>              p->data = pkt + hlen;
>              p->dsize = (u_short)payload_len;  (truncates  
> payload_len to 65XXX)
>              return;
>      }
> ...
> ==END CODE==
>
> 'payload_len', 'len' and 'hlen' are all 32-bit unsigned integer
> types. A specially crafted GRE packet will trigger an integer
> underflow, causing 'payload_len' to wrap around and become a very
> large number. If the correct protocol field in the GRE header is
> used, the attacker can reach line 3627 of decode.c, which assigns
> 'payload_len' as an unsigned short to p->dsize. This truncates
> payload_len to around 65535. In order to exploit the vulnerability,
> Snort must be compiled with '--enable-gre' and run with the '-d'
> flag to dump the application layer content of each packet. Upon
> receiving the malicious packet, Snort will read and log beyond the
> packet's length in memory. This will leak other portions of memory
> that may contain the contents of other packets, Snort rules, and
> various Snort data structures.
>
> [ Disclosure Timeline ]
>
> 01/06/2007 - Vulnerability Discovered
> 01/08/2007 - Sourcefire, Inc. Contacted
> 01/11/2007 - Sourcefire Released Fix in Snort CVS
> 01/11/2007 - Public Disclosure
>
>
> [ Credit ]
>
> Chris Rohlf of Calyptix Security discovered this vulnerability.
>
>
> [ Contact ]
>
> You can contact Calyptix Security about this vulnerability by e- 
> mailing
> advisories2007 at ...14032...
>
>
> [ About Calyptix Security ]
>
> Calyptix Security, founded in 2002, is located in Charlotte, North
> Carolina. Our Unified Threat Management (UTM) product, the
> AccessEnforcer (TM), is used by customers to protect their network
> infrastructure from security threats and is the only security
> appliance in the market that deploys DyVax (TM), our patent-pending
> signatureless inspection engine. The AccessEnforcer provides our
> customers all available gateway security features, including VPN,
> Firewall, IPS/IDS, Anti-Virus, E-Mail Filtering, Web Filtering, and
> IM management, for a single price with no add-ons and no hidden
> costs.
>
>
> [ Legal Notice ]
>
> Calyptix Security grants each recipient of this advisory permission
> to redistribute this advisory in electronic or other written medium
> without modification.  This advisory may not be modified without the
> express written consent of Calyptix Security.  If the recipient
> wishes to modify the advisory in any manner or redistribute the
> contents of this advisory other than by way of an exact written or
> electronic transmission hereof, please email
> advisories2007 at ...14032... for such permission.
>
> The information in this advisory is believe to be accurate at the
> time of publication based upon currently available information. Use
> of this information constitutes acceptance for use in an AS IS
> condition.  There are no warranties with regard to any information
> in this advisory.  None of the author, the publisher nor Calyptix
> Security (nor any of their employees, affiliates or agents) accepts
> or has any liability for any direct, indirect or consequential loss
> or damage arising from the use of, or reliance on, any information
> contained in this advisory.
>
>
>
> ---------------------------------------------------------------------- 
> ---
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to  
> share your
> opinions on IT & business topics through brief surveys - and earn cash
> http://www.techsay.com/default.php? 
> page=join.php&p=sourceforge&CID=DEVDEV
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
>

- --
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Security for the Real World - http://www.sourcefire.com
Snort: Open Source IDP - http://www.snort.org




-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)

iD8DBQFFpr4Pqj0FAQQ3KOARAtUkAJwLEcFEKSxOZWpimNRV5kpxhf6sjwCfVHQy
u5ZSIBSf9Wj9uKOSxf+yURw=
=e6cu
-----END PGP SIGNATURE-----




More information about the Snort-users mailing list