FW: [funsec] Snort SACK TCP Option Handling Remote Denial of Service
Issue
Polazzo Justin
Justin.Polazzo at facilities.gatech.edu
Tue Sep 13 14:33:14 CDT 2005
oops! Replied to fergie only
-----Original Message-----
From: Polazzo Justin
Sent: Tuesday, September 13, 2005 10:21 AM
To: 'Fergie (Paul Ferguson)'
Subject: RE: [funsec] Snort SACK TCP Option Handling Remote Denial of
Service Issue
Yeah, but what version of snort? 1.1? =P
You have to be careful with FrSIRT, stolen code and lame exploits are
part of their SOP
Test 'em (as always) before believing 'em
-JP
-----Original Message-----
From: funsec-bounces at linuxbox.org [mailto:funsec-bounces at linuxbox.org]
On Behalf Of Fergie (Paul Ferguson)
Sent: Monday, September 12, 2005 8:30 PM
To:
Subject: Re: [funsec] Snort SACK TCP Option Handling Remote Denial of
Service Issue
Oh yeah, and there's an exploit already:
http://www.frsirt.com/exploits/20050912.snortsackdos.c.php
- ferg
-- "Fergie (Paul Ferguson)" <fergdawg at netzero.net> wrote:
In case you haven't seen this:
[snip]
FrSIRT Advisory : FrSIRT/ADV-2005-1721
CVE Reference : GENERIC-MAP-NOMATCH
Rated as : Moderate Risk
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2005-09-12
* Technical Description *
A vulnerability has been identified in Snort, which could be exploited
by remote attackers to cause a denial of service. This flaw is due to an
error in the "PrintTcpOptions()" function [log.c] that does not properly
handle specially crafted TCP packets containing malformed SACK options,
which could be exploited by remote attackers to crash a vulnerable
application. Note : This vulnerability exists only when snort is run in
verbose mode.
* Affected Products *
Snort version 2.4.0 and prior
* Solution *
A fix is available via CVS :
http://www.snort.org/pub-bin/snapshots.cgi
* References *
http://www.frsirt.com/english/advisories/2005/1721
http://www.vulnfact.com/advisories/snort_adv.html
[snip]
- ferg
--
"Fergie", a.k.a. Paul Ferguson
Engineering Architecture for the Internet
fergdawg at netzero.net or fergdawg at sbcglobal.net
ferg's tech blog: http://fergdawg.blogspot.com/
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
More information about the funsec
mailing list