[Snort-users] Snort DoS Fallacies
This is a discussion on [Snort-users] Snort DoS Fallacies within the Snort forums, part of the System Security and Security Related category; This message is in MIME format. Since your mail reader does not understand this format, some or all of this ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
09-13-2005
|
|||
|
|||
[Snort-users] Snort DoS Fallacies
This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible. ------_=_NextPart_001_01C5B872.22381037 Content-Type: text/plain Content-Transfer-Encoding: 7bit Hello, The recent advisory from the Snort team in regards to the DoS in the PrintTCPOptions() function of log.c is incorrect in a couple regards. Firstly, and most importantly- You _do not_ have to be running snort with -v, there are several execution path's in snort that leads to the function PrintTCPOptions(), excerpts from relevant code are below: First, let's us realize how the code gets to PrintTCPOptions(). PrintTCPOptions() is called by PrintTCPHeader(), which in turn is called by PrintIPPKT(), see below for relevant code snippets-- The line numbers are from the current CVS version of snort pulled down aprox. 1 hour ago. snort/src/log.c 315 PrintIPPkt() [...] 337 if(!p->frag_flag) 338 { 339 switch(p->iph->ip_proto) 340 { 341 case IPPROTO_TCP: 342 if(p->tcph != NULL) 343 { 344 PrintTCPHeader(fp, p); 345 } snort/src/log.c 934 PrintTCPHeader() [...] 962 /* dump the TCP options */ 963 if(p->tcp_option_count != 0) 964 { 965 PrintTcpOptions(fp, p); 966 } So we see here that, if someone is to call PrintIPPacket(), and the packet is not a fragment, and its protocol is TCP then we call TCPHeader() and once inside of PrintTCPHeader(), if the option_count is not 0, then we call PrintTCPOptions. Now a quick grep(1) of the source tree reveals several possible ways to end up at PrintIPPkt(), relevant source below: First, if we are using the option -A fast: snort/src/output-plugins/spo_alert_fast.c 134 AlertFast() [...] 146 if(msg != NULL) 147 { [...] 208 if(p && data->packet_flag) 209 { 210 fputc('\n', data->file); 211 212 if(p->iph) 213 PrintIPPkt(data->file, p->iph->ip_proto, p); Second, if we are logging in ASCII mode (a lot of people): snort/src/output-plugins/spo_log_ascii.c 112 LogAscii() [...] 137 if(p) 138 { 139 if(p->iph) 140 PrintIPPkt(log_ptr, p->iph->ip_proto, p); Also, in the frag3 preprocessor, also I'm not sure what the point of defining DEBUG_FRAG3 at compile time would be (at least in this code segment), as the execution flow is exactly the same: snort/src/preprocessors/spp_frag3.c 2929 Frag3Rebuild() [...] 3117 #ifdef DEBUG_FRAG3 [...] 3122 if (DEBUG_FRAG & GetDebugLevel()) 3123 { [...] 3126 PrintIPPkt(stdout, defrag_pkt->iph->ip_proto, defrag_pkt); [...] 3129 } 3130 #endif [...] 3133 PrintIPPkt(stdout, defrag_pkt->iph->ip_proto, defrag_pkt); It can also be called in the stream4 preprocessor, if a few debugging conditions are met: snort/src/preprocessors/stream4.c 4682 BuildPacket() [...] 4841 #ifdef DEBUG [...] 4852 if (DEBUG_STREAM & GetDebugLevel()) 4853 { [...] 4856 PrintIPPkt(stdout, IPPROTO_TCP, stream_pkt); [...] 4863 } 4864 #endif And finally, as the snort authors suggested, if you are using -v: snort/src/snort.c 766 /* print the packet to the screen */ 767 if(pv.verbose_flag) 768 { 769 if(p.iph != NULL) 770 PrintIPPkt(stdout, p.iph->ip_proto, &p); Additionally, as the second part of the misrepresentation of data, there is several bugs in PrintTCPOptions(), which is apparent by the changes they made-- these include nearly all of the TCP options, not just SACK. These include the following options: TCPOPT_MAXSEG, TCPOPT_WSCALE, TCPOPT_ECHO, TCPOPT_ECHOREPLY, TCPOPT_TIMESTAMP, TCPOPT_CC, TCPOPT_CCNEW, TCPOPT_CCECHO, and _any_ unrecognized or invalid option. However, the snort team did say one thing correctly, and that these all are NULL pointer dereferences, and therefore only a DoS and not exploitable to run arbitrary code. Best Regards, J. Ferguson Intrusion Analyst NNSA Information Assurance Response Center (IARC) fergusonj@nv.doe.gov ------_=_NextPart_001_01C5B872.22381037 Content-Type: text/html Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Dus-ascii"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 5.5.2658.2"> <TITLE>Snort DoS Fallacies</TITLE> </HEAD> <BODY> <P><FONT FACE=3D"Times New Roman">Hello,<BR> <BR> The recent advisory from the Snort team in regards to the DoS in the = PrintTCPOptions() function of log.c is incorrect in a couple = regards.</FONT></P> <BR> <P><FONT FACE=3D"Times New Roman">Firstly, and most importantly- You = _do not_ have to be running snort with -v, there are several execution = path's in snort that leads to the function PrintTCPOptions(), excerpts = from relevant code are below:<BR> <BR> First, let's us realize how the code gets to PrintTCPOptions().<BR> </FONT> <BR><FONT FACE=3D"Times New Roman">PrintTCPOptions() is called by = PrintTCPHeader(), which in turn is called by PrintIPPKT(), see below = for relevant code snippets-- The line numbers are from the current CVS = version of snort pulled down aprox. 1 hour ago.<BR> <BR> <BR> snort/src/log.c<BR> 315 PrintIPPkt()<BR> [...]<BR> 337 if(!p->frag_flag)<BR> 338 {<BR> 339 switch(p->iph->ip_proto)<BR> 340 {<BR> 341 case IPPROTO_TCP:<BR> 342 if(p->tcph !=3D NULL)<BR> 343 {<BR> 344 PrintTCPHeader(fp, p);<BR> 345 }<BR> <BR> snort/src/log.c<BR> 934 PrintTCPHeader()<BR> [...]<BR> 962 /* dump the TCP options */<BR> 963 if(p->tcp_option_count !=3D 0)<BR> 964 {<BR> 965 PrintTcpOptions(fp, p);<BR> 966 }<BR> <BR> So we see here that, if someone is to call PrintIPPacket(), and the = packet is not a fragment, and its protocol is TCP then we call = TCPHeader() and once inside of PrintTCPHeader(), if the option_count is = not 0, then we call PrintTCPOptions.<BR> <BR> Now a quick grep(1) of the source tree reveals several possible ways to = end up at PrintIPPkt(), relevant source below:<BR> <BR> First, if we are using the option -A fast:<BR> <BR> snort/src/output-plugins/spo_alert_fast.c<BR> 134 AlertFast()<BR> [...]<BR> 146 if(msg !=3D NULL)<BR> 147 {<BR> [...]<BR> 208 if(p && data->packet_flag)<BR> 209 {<BR> 210 fputc('\n', data->file);<BR> 211<BR> 212 if(p->iph)<BR> 213 PrintIPPkt(data->file, p->iph->ip_proto, p);<BR> <BR> <BR> Second, if we are logging in ASCII mode (a lot of people):<BR> <BR> snort/src/output-plugins/spo_log_ascii.c<BR> 112 LogAscii()<BR> [...]<BR> 137 if(p)<BR> 138 {<BR> 139 if(p->iph)<BR> 140 PrintIPPkt(log_ptr, p->iph->ip_proto, p);<BR> <BR> <BR> Also, in the frag3 preprocessor, also I'm not sure what the point of = defining DEBUG_FRAG3 at compile time would be (at least in this code = segment), as the execution flow is exactly the same:<BR> <BR> snort/src/preprocessors/spp_frag3.c<BR> 2929 Frag3Rebuild()<BR> [...]<BR> 3117 #ifdef DEBUG_FRAG3<BR> [...]<BR> 3122 if (DEBUG_FRAG & GetDebugLevel())<BR> 3123 {<BR> [...]<BR> 3126 PrintIPPkt(stdout, defrag_pkt->iph->ip_proto, = defrag_pkt);<BR> [...]<BR> 3129 }<BR> 3130 #endif<BR> [...]<BR> 3133 PrintIPPkt(stdout, defrag_pkt->iph->ip_proto, = defrag_pkt);<BR> <BR> It can also be called in the stream4 preprocessor, if a few debugging = conditions are met:<BR> <BR> snort/src/preprocessors/stream4.c<BR> 4682 BuildPacket()<BR> [...]<BR> 4841 #ifdef DEBUG<BR> [...]<BR> 4852 if (DEBUG_STREAM & GetDebugLevel())<BR> 4853 {<BR> [...]<BR> 4856 PrintIPPkt(stdout, IPPROTO_TCP, stream_pkt);<BR> [...]<BR> 4863 }<BR> 4864 #endif<BR> <BR> <BR> And finally, as the snort authors suggested, if you are using -v:<BR> <BR> snort/src/snort.c<BR> 766 /* print the packet to the screen */<BR> 767 if(pv.verbose_flag)<BR> 768 {<BR> 769 if(p.iph !=3D NULL)<BR> 770 PrintIPPkt(stdout, p.iph->ip_proto, &p);<BR> <BR> <BR> Additionally, as the second part of the misrepresentation of data, = there is several bugs in PrintTCPOptions(), which is apparent by the = changes they made-- these include nearly all of the TCP options, not = just SACK. These include the following options:<BR> <BR> TCPOPT_MAXSEG, TCPOPT_WSCALE, TCPOPT_ECHO, TCPOPT_ECHOREPLY,<BR> TCPOPT_TIMESTAMP, TCPOPT_CC, TCPOPT_CCNEW, TCPOPT_CCECHO, and _any_ = unrecognized or invalid option.<BR> <BR> However, the snort team did say one thing correctly, and that these all = are NULL pointer dereferences, and therefore only a DoS and not = exploitable to run arbitrary code.</FONT></P> <BR> <P><FONT FACE=3D"Times New Roman">Best Regards,<BR> <BR> </FONT><FONT SIZE=3D2 FACE=3D"Arial">J. Ferguson</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">Intrusion Analyst</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">NNSA Information Assurance Response = Center (IARC)</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">fergusonj@nv.doe.gov</FONT> </P> <BR> </BODY> </HTML> ------_=_NextPart_001_01C5B872.22381037-- ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
 |
«
Previous Thread
|
Next Thread
»
| Thread Tools | |
| Display Modes | |
Linear Mode
|
|
All times are GMT +1. The time now is 01:24 PM.
