Re: [net-snmp 5.x] Security breach

This is a multi-part message in MIME format.
--------------070406080406020203060306
Content-Type: text/plain; charset=windows-1251; format=flowed
Content-Transfer-Encoding: 7bit

Hello, Wes!

Thank you for fast reply!

Yes, at this time, it's reproducible only via TCP, but, in principle,
there was no matter, what transport we are using.
The 'Z' symbol it's only one example.
Protocol parser code (snmplib/snmp_api.c), have infinite loop by
default, processes multiple PDU's
from stream socket. If perser receives broken PDU it's return pdu_length
as zero, and while cycle goes to
infinite loop. See snmplib/snmp_api.c func _sess_read(void *sessp,
fd_set * fdset), lines around 5379, 5385 and 5465.
In patch, I was sent to you in previous letter, I've inserted additional
check pdu_length
to be non-zero (at line 5395), and agent has become stable on my
installations.

--
Wishing you nice day,
___________________________
Roman Tsiroulnikov
Monitoring & infrastructure projects
romanvt@devexperts.com <mailto:romanvt@devexperts.com>
http://www.devexperts.com
Tel. +7(812) 336-57-88



Wes Hardaker wrote:

>>>>>>On Wed, 29 Jun 2005 12:36:49 +0400, Roman Tsiroulnikov <romanvt@devexperts.com> said:
>>>>>>
>>>>>>
>
>Roman> We're found a critical bug in net-snmp library, in requests PDU
>Roman> parser. In particular situations, if snmp daemon receives
>Roman> incorrect or broken request PDU, it's infinitedly loops within
>Roman> PDU parser code, taking 100% load on one CPU, and stops to
>Roman> serve further requests.
>
>There should be code to prevent that from happening already in place.
>
>Roman> To reproduce this bug: send 1-byte request with 'Z' symbol. You
>Roman> can use something like netcat or this is 100% reproducible by
>Roman> running Nessus scanner.
>
>Ok, I've reproduced it for 5.1.2. I'm checking other versions, but f
>
>Roman> TCP & UDP code both affected.
>
>Only TCP is affected as far as I can tell so far. UDP doesn't have
>this issue from any thing I've tested. In fact, if you look at the
>code in question it only affects stream sockets. I've tested things
>just to be sure, however, and there are no issues. At least with the
>letter 'Z'.
>
>
>



--------------070406080406020203060306
Content-Type: text/html; charset=windows-1251
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content=3D"text/html;charset=3Dwindows-1251"
http-equiv=3D"Content-Type">
<title></title>
</head>
<body bgcolor=3D"#ffffff" text=3D"#000000">
Hello, Wes!<br>
<br>
Thank you for fast reply!<br>
<br>
Yes, at this time, it's reproducible only via TCP, but, in principle,
there was no matter, what transport we are using.<br>
The 'Z' symbol it's only one example.<br>
Protocol parser code (snmplib/snmp_api.c), have infinite loop by
default, processes multiple PDU's <br>
from stream socket. If perser receives broken PDU it's return
pdu_length as zero, and while cycle goes to <br>
infinite loop. See snmplib/snmp_api.c func _sess_read(void *sessp,
fd_set * fdset), lines around 5379, 5385 and 5465.<br>
In patch, I was sent to you in previous letter, I've inserted
additional check pdu_length <br>
to be non-zero (at line 5395), and agent has become stable on my
installations.<br>
<br>
-- <br>
<div align=3D"left"><font face=3D"Arial" size=3D"2">Wishing you nice day,=
<br>
___________________________</font></div>
<div align=3D"left"><font face=3D"Arial" size=3D"2">Roman Tsiroulnikov</f=
ont></div>
<div><font face=3D"Arial" size=3D"2">Monitoring &amp; infrastructure
projects</font></div>
<div><font face=3D"Arial" size=3D"2"><a href=3D"mailto:romanvt@devexperts=
=2Ecom">romanvt@devexperts.com</a></font></div>
<div><font face=3D"Arial" size=3D"2"><a href=3D"http://www.devexperts.com=
">http://www.devexperts.com</a></font></div>
<div><font face=3D"Arial" size=3D"2">Tel. +7(812) 336-57-88</font></div>
<div>=A0</div>
<br>
<br>
Wes Hardaker wrote:
<blockquote cite=3D"midsdekalkqrh.fsf@wes.hardakers.net" type=3D"cite">
<blockquote type=3D"cite">
<blockquote type=3D"cite">
<blockquote type=3D"cite">
<blockquote type=3D"cite">
<blockquote type=3D"cite">
<pre wrap=3D"">On Wed, 29 Jun 2005 12:36:49 +0400, Roman Tsir=
oulnikov <a class=3D"moz-txt-link-rfc2396E" href=3D"mailto:romanvt@devexp=
erts.com">&lt;romanvt@devexperts.com&gt;</a> said:
</pre>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
<pre wrap=3D""><!---->
Roman&gt; We're found a critical bug in net-snmp library, in requests PDU=

Roman&gt; parser. In particular situations, if snmp daemon receives
Roman&gt; incorrect or broken request PDU, it's infinitedly loops within
Roman&gt; PDU parser code, taking 100% load on one CPU, and stops to
Roman&gt; serve further requests.

There should be code to prevent that from happening already in place.

Roman&gt; To reproduce this bug: send 1-byte request with 'Z' symbol. You=

Roman&gt; can use something like netcat or this is 100% reproducible by
Roman&gt; running Nessus scanner.

Ok, I've reproduced it for 5.1.2. I'm checking other versions, but f

Roman&gt; TCP &amp; UDP code both affected.

Only TCP is affected as far as I can tell so far. UDP doesn't have
this issue from any thing I've tested. In fact, if you look at the
code in question it only affects stream sockets. I've tested things
just to be sure, however, and there are no issues. At least with the
letter 'Z'.

</pre>
</blockquote>
<br>
<br>
</body>
</html>

--------------070406080406020203060306--


-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
_______________________________________________
Net-snmp-coders mailing list
Net-snmp-coders@lists.sourceforge.net
https://lists.sourceforge.net/lists/...et-snmp-coders