FW: [funsec] Snort SACK TCP Option Handling Remote Denial of Service Issue

Polazzo Justin Justin.Polazzo at facilities.gatech.edu
Tue Sep 13 14:33:14 CDT 2005


 oops! Replied to fergie only

-----Original Message-----
From: Polazzo Justin 
Sent: Tuesday, September 13, 2005 10:21 AM
To: 'Fergie (Paul Ferguson)'
Subject: RE: [funsec] Snort SACK TCP Option Handling Remote Denial of
Service Issue

Yeah, but what version of snort? 1.1? =P

You have to be careful with FrSIRT, stolen code and lame exploits are
part of their SOP

Test 'em (as always) before believing 'em

-JP

 

-----Original Message-----
From: funsec-bounces at linuxbox.org [mailto:funsec-bounces at linuxbox.org]
On Behalf Of Fergie (Paul Ferguson)
Sent: Monday, September 12, 2005 8:30 PM
To: 
Subject: Re: [funsec] Snort SACK TCP Option Handling Remote Denial of
Service Issue

Oh yeah, and there's an exploit already:

 http://www.frsirt.com/exploits/20050912.snortsackdos.c.php

- ferg


-- "Fergie (Paul Ferguson)" <fergdawg at netzero.net> wrote:

In case you haven't seen this:

[snip]

FrSIRT Advisory : FrSIRT/ADV-2005-1721
CVE Reference : GENERIC-MAP-NOMATCH
Rated as : Moderate Risk
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2005-09-12

* Technical Description *

A vulnerability has been identified in Snort, which could be exploited
by remote attackers to cause a denial of service. This flaw is due to an
error in the "PrintTcpOptions()" function [log.c] that does not properly
handle specially crafted TCP packets containing malformed SACK options,
which could be exploited by remote attackers to crash a vulnerable
application. Note : This vulnerability exists only when snort is run in
verbose mode.

* Affected Products *

Snort version 2.4.0 and prior

* Solution *

A fix is available via CVS :
http://www.snort.org/pub-bin/snapshots.cgi

* References *

http://www.frsirt.com/english/advisories/2005/1721
http://www.vulnfact.com/advisories/snort_adv.html

[snip]

- ferg


--
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawg at netzero.net or fergdawg at sbcglobal.net
 ferg's tech blog: http://fergdawg.blogspot.com/

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.




More information about the funsec mailing list