Earlier Monday, Snort.org announced a vulnerability in the 2.x series of open source IDS software. The vulnerability was found in the PrintTcpOptions() function and could allow an attacker to use a malformed, crafted TCP/IP packet to cause a DoS in Snort. These vulnerabilities involve NULL pointer dereferences which should mean that only a Denial of Service is possible.
JustinF noted earlier today that the original advisory that I grabbed from the snort.org site was not completely accurate. You _do not_ have to be running snort with the -v flag set as there are other execution paths that lead to the PrintTcpOptions() function. Noteably, the PrintIPPacket() can be used to call the vulnerable function. This requires you to jump through a few requirements like the packet can not be a fragment, and its protocol is TCP. (For those looking at the code from cvs, this takes a couple levels of following the code to see this connection.)
Justin noted that using the "-A fast", those logging in ASCII mode, and the frag3 and stream4 preprocessors have some potential to get one to the PrintTcpOptions() as well as the initially reported -v flag.
He also noted that there are several bugs in PrintTCPOptions() which is apparent by the changes made to the source which includes nearly all of the TCP options, not just SACK.
Thanks Justin for looking closely at the code and bringing it to our attention.
Fix and Workaround Details:
A fix for this vulnerability was checked into the Snort 2.4 CVS tree on August 23rd, 2005 and is available for download here. This fix will also be included in the upcoming 2.4.1 release.
Proof of Concept Released:
In addition, proof of concept code has been released concerning this vulnerability.
Scott Fendley, Handler on Duty
Sep 13th 2005
1 decade ago