SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Security)  >   Snort Vendors:   snort.org
Snort Integer Underflow in Processing the GRE Protocol May Let Remote Users Corrupt Log Files
SecurityTracker Alert ID:  1017507
SecurityTracker URL:  http://securitytracker.com/id/1017507
CVE Reference:   CVE-2007-0251   (Links to External Site)
Updated:  May 19 2008
Original Entry Date:  Jan 12 2007
Impact:   Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 2.6.1.2
Description:   A vulnerability was reported in Snort. A remote user can execute arbitrary code on the target system.

A remote user can send specially crafted Generic Routing Encapsulation (GRE) protocol data to trigger an integer underflow in the DecodeGRE() function in 'decode.c' and potentially corrupt Snort log files.

The system is affected when compiled with '--enable-gre' and run with the '-d' flag. The vulnerable code is not compiled by default.

The vendor was notified on January 8, 2007.

Chris Rohlf of Calyptix Security discovered this vulnerability.

The original advisory is available at:

http://labs.calyptix.com/advisories/CX-2007-01.txt

Impact:   A remote user may be able to corrupt Snort log files.
Solution:   The vendor has issued a source code fix, available via CVS.
Vendor URL:  www.snort.org/ (Links to External Site)
Cause:   Boundary error
Underlying OS:   Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Date:  Thu, 11 Jan 2007 12:04:46 -0500
Subject:  Calyptix Security Advisory CX-2007-001 - Snort 2.6.1.2 Integer

Calyptix Security Advisory CX-2007-001
Date: 01/11/2007
http://www.calyptix.com/
http://labs.calyptix.com/advisories/CX-2007-01.txt

[ Overview ]

Snort 2.6.1.2 is vulnerable to an integer underflow that allows a
remote attacker to cause Snort to read beyond a specified length of
memory, potentially corrupting logfiles.

[ Risk ]

Calyptix Security has classified this vulnerability as 'Low Risk' as
the vulnerable code will not be compiled by default. Please see the
analysis section for more details.

[ Patch / Fix / Workaround ]

Sourcefire has released a fix for this vulnerability in Snort's current CVS
tree.

[ Analysis ]

Snort 2.6.1.2 has support for decoding the Generic Routing
Encapsulation (GRE) protocol. GRE is used to encapsulate arbitrary
protocols to a remote host. The vulnerability in Snort's parsing
engine is located in the function DecodeGRE() in decode.c

==BEGIN CODE==
...
(line 3459 decode.c)
void DecodeGRE(u_int8_t *pkt, const u_int32_t len, Packet *p)
{
    u_int8_t flags;
    u_int32_t hlen;    /* GRE header length */
    u_int32_t payload_len;
...
payload_len = len - hlen;	(calculation for payload_len is done here)
...
switch (ntohs(p->greh->ether_type))	(line 3597 decode.c)
    {
...
        default:			(line 3625 decode.c)
            pc.other++;
            p->data = pkt + hlen;
            p->dsize = (u_short)payload_len;  (truncates payload_len to 65XXX)
            return;
    }
...
==END CODE==

'payload_len', 'len' and 'hlen' are all 32-bit unsigned integer
types. A specially crafted GRE packet will trigger an integer
underflow, causing 'payload_len' to wrap around and become a very
large number. If the correct protocol field in the GRE header is
used, the attacker can reach line 3627 of decode.c, which assigns
'payload_len' as an unsigned short to p->dsize. This truncates
payload_len to around 65535. In order to exploit the vulnerability,
Snort must be compiled with '--enable-gre' and run with the '-d'
flag to dump the application layer content of each packet. Upon
receiving the malicious packet, Snort will read and log beyond the
packet's length in memory. This will leak other portions of memory
that may contain the contents of other packets, Snort rules, and
various Snort data structures.

[ Disclosure Timeline ]

01/06/2007 - Vulnerability Discovered
01/08/2007 - Sourcefire, Inc. Contacted
01/11/2007 - Sourcefire Released Fix in Snort CVS
01/11/2007 - Public Disclosure


[ Credit ]

Chris Rohlf of Calyptix Security discovered this vulnerability.


[ Contact ]

You can contact Calyptix Security about this vulnerability by e-mailing
 advisories2007@calyptix.com


[ About Calyptix Security ]

Calyptix Security, founded in 2002, is located in Charlotte, North
Carolina. Our Unified Threat Management (UTM) product, the
AccessEnforcer (TM), is used by customers to protect their network
infrastructure from security threats and is the only security
appliance in the market that deploys DyVax (TM), our patent-pending
signatureless inspection engine. The AccessEnforcer provides our
customers all available gateway security features, including VPN,
Firewall, IPS/IDS, Anti-Virus, E-Mail Filtering, Web Filtering, and
IM management, for a single price with no add-ons and no hidden
costs.


[ Legal Notice ]

Calyptix Security grants each recipient of this advisory permission
to redistribute this advisory in electronic or other written medium
without modification.  This advisory may not be modified without the
express written consent of Calyptix Security.  If the recipient
wishes to modify the advisory in any manner or redistribute the
contents of this advisory other than by way of an exact written or
electronic transmission hereof, please email
advisories2007@calyptix.com for such permission.

The information in this advisory is believe to be accurate at the
time of publication based upon currently available information. Use
of this information constitutes acceptance for use in an AS IS
condition.  There are no warranties with regard to any information
in this advisory.  None of the author, the publisher nor Calyptix
Security (nor any of their employees, affiliates or agents) accepts
or has any liability for any direct, indirect or consequential loss
or damage arising from the use of, or reliance on, any information
contained in this advisory.


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC