-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Long story short, if you're running the experimental GRE decoder you
should update, otherwise you're fine.
-Marty
On Jan 11, 2007, at 1:31 PM, rmkml wrote:
> Calyptix Security Advisory CX-2007-001
> Date: 01/11/2007
> http://www.calyptix.com/
> http://labs.calyptix.com/advisories/CX-2007-01.txt
>
> [ Overview ]
>
> Snort 2.6.1.2 is vulnerable to an integer underflow that allows a
> remote attacker to cause Snort to read beyond a specified length of
> memory, potentially corrupting logfiles.
>
> [ Risk ]
>
> Calyptix Security has classified this vulnerability as 'Low Risk' as
> the vulnerable code will not be compiled by default. Please see the
> analysis section for more details.
>
> [ Patch / Fix / Workaround ]
>
> Sourcefire has released a fix for this vulnerability in Snort's
> current CVS
> tree.
>
> [ Analysis ]
>
> Snort 2.6.1.2 has support for decoding the Generic Routing
> Encapsulation (GRE) protocol. GRE is used to encapsulate arbitrary
> protocols to a remote host. The vulnerability in Snort's parsing
> engine is located in the function DecodeGRE() in decode.c
>
> ==BEGIN CODE==
> ...
> (line 3459 decode.c)
> void DecodeGRE(u_int8_t *pkt, const u_int32_t len, Packet *p)
> {
> u_int8_t flags;
> u_int32_t hlen; /* GRE header length */
> u_int32_t payload_len;
> ...
> payload_len = len - hlen; (calculation for payload_len is done here)
> ...
> switch (ntohs(p->greh->ether_type)) (line 3597 decode.c)
> {
> ...
> default: (line 3625 decode.c)
> pc.other++;
> p->data = pkt + hlen;
> p->dsize = (u_short)payload_len; (truncates
> payload_len to 65XXX)
> return;
> }
> ...
> ==END CODE==
>
> 'payload_len', 'len' and 'hlen' are all 32-bit unsigned integer
> types. A specially crafted GRE packet will trigger an integer
> underflow, causing 'payload_len' to wrap around and become a very
> large number. If the correct protocol field in the GRE header is
> used, the attacker can reach line 3627 of decode.c, which assigns
> 'payload_len' as an unsigned short to p->dsize. This truncates
> payload_len to around 65535. In order to exploit the vulnerability,
> Snort must be compiled with '--enable-gre' and run with the '-d'
> flag to dump the application layer content of each packet. Upon
> receiving the malicious packet, Snort will read and log beyond the
> packet's length in memory. This will leak other portions of memory
> that may contain the contents of other packets, Snort rules, and
> various Snort data structures.
>
> [ Disclosure Timeline ]
>
> 01/06/2007 - Vulnerability Discovered
> 01/08/2007 - Sourcefire, Inc. Contacted
> 01/11/2007 - Sourcefire Released Fix in Snort CVS
> 01/11/2007 - Public Disclosure
>
>
> [ Credit ]
>
> Chris Rohlf of Calyptix Security discovered this vulnerability.
>
>
> [ Contact ]
>
> You can contact Calyptix Security about this vulnerability by e-
> mailing
> advisories2007@calyptix.com
>
>
> [ About Calyptix Security ]
>
> Calyptix Security, founded in 2002, is located in Charlotte, North
> Carolina. Our Unified Threat Management (UTM) product, the
> AccessEnforcer (TM), is used by customers to protect their network
> infrastructure from security threats and is the only security
> appliance in the market that deploys DyVax (TM), our patent-pending
> signatureless inspection engine. The AccessEnforcer provides our
> customers all available gateway security features, including VPN,
> Firewall, IPS/IDS, Anti-Virus, E-Mail Filtering, Web Filtering, and
> IM management, for a single price with no add-ons and no hidden
> costs.
>
>
> [ Legal Notice ]
>
> Calyptix Security grants each recipient of this advisory permission
> to redistribute this advisory in electronic or other written medium
> without modification. This advisory may not be modified without the
> express written consent of Calyptix Security. If the recipient
> wishes to modify the advisory in any manner or redistribute the
> contents of this advisory other than by way of an exact written or
> electronic transmission hereof, please email
> advisories2007@calyptix.com for such permission.
>
> The information in this advisory is believe to be accurate at the
> time of publication based upon currently available information. Use
> of this information constitutes acceptance for use in an AS IS
> condition. There are no warranties with regard to any information
> in this advisory. None of the author, the publisher nor Calyptix
> Security (nor any of their employees, affiliates or agents) accepts
> or has any liability for any direct, indirect or consequential loss
> or damage arising from the use of, or reliance on, any information
> contained in this advisory.
>
>
>
> ----------------------------------------------------------------------
> ---
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to
> share your
> opinions on IT & business topics through brief surveys - and earn cash
> http://www.techsay.com/default.php?
> page=join.php&p=sourceforge&CID=DEVDEV
> _______________________________________________
> Snort-devel mailing list
> Snort-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
>
- --
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Security for the Real World - http://www.sourcefire.com
Snort: Open Source IDP - http://www.snort.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)
iD8DBQFFpr4Pqj0FAQQ3KOARAtUkAJwLEcFEKSxOZWpimNRV5kpxhf6sjwCfVHQy
u5ZSIBSf9Wj9uKOSxf+yURw=
=e6cu
-----END PGP SIGNATURE-----
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
|