Your message dated Fri, 28 Oct 2005 18:03:49 +0200
with message-id <[EMAIL PROTECTED]>
and subject line snort: Remote buffer overflow in the 'bo' preprocessor
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 18 Oct 2005 22:11:38 +0000
>From [EMAIL PROTECTED] Tue Oct 18 15:11:37 2005
Return-path: <[EMAIL PROTECTED]>
Received: from 148.red-213-96-98.staticip.rima-tde.net (javifsp.no-ip.org)
[213.96.98.148] (Debian-exim)
by spohr.debian.org with esmtp (Exim 3.36 1 (Debian))
id 1ERzgG-0007rA-00; Tue, 18 Oct 2005 15:11:37 -0700
Received: from jfs by javifsp.no-ip.org with local (Exim 4.52)
id 1ERzgD-0005ao-UW; Wed, 19 Oct 2005 00:11:33 +0200
Date: Wed, 19 Oct 2005 00:11:33 +0200
From: Javier =?iso-8859-1?Q?Fern=E1ndez-Sanguino_Pe=F1a?= <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: snort: Remote buffer overflow in the 'bo' preprocessor
Message-ID: <[EMAIL PROTECTED]>
Mail-Followup-To: [EMAIL PROTECTED], [EMAIL PROTECTED]
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="oLBj+sq0vYjzfsbl"
Content-Disposition: inline
User-Agent: Mutt/1.5.10i
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-3.0 required=4.0 tests=BAYES_00 autolearn=no
version=2.60-bugs.debian.org_2005_01_02
--oLBj+sq0vYjzfsbl
Content-Type: multipart/mixed; boundary="yrj/dFKFPuw6o+aM"
Content-Disposition: inline
--yrj/dFKFPuw6o+aM
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Package: snort
Severity: critical
Version: 2.3.3-2
Justification: remote compromise
Well, I have just read both an X-force and a CERT alert related to Snort,
it seems that it is possible to make a preprocessor (bo) crash and run code
remotely through a single UDP traffic.
I'm still investigating the issue to see if it affects the sarge, etch and
sid versions (we are not using the bo preprocessor from 2.4, which seems to
be the one vulnerable).=20
For more information:
http://xforce.iss.net/xforce/alerts/id/207
http://www.us-cert.gov/cas/techalerts/TA05-291A.html
http://www.snort.org/docs/change_logs/2.4.3/Changelog.txt
http://www.snort.org/pub-bin/snortnews.cgi
It seems CERT's VU#175500 is the only reference available, as no CVE name h=
as
been asigned. It also seems that X-force reported this October 13th and
disclosed it October 18th. It doesn't look like CERT coordinated much, did
they?
Attached is the patch from the 2.4.3 that seems to be relevant to the issue,
it's a rather long patch and does not apply cleanly to 2.3.2-3 at least.
For those people running Snort Debian packages it is advised they disable t=
he
Snort 'bo' preprocessor (it's enabled in the stock Debian configuration)
until this issue has been reviewed and, maybe, fixed.
Regards
Javier
--yrj/dFKFPuw6o+aM
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="snort-2.4.3-bo-bof.diff"
Content-Transfer-Encoding: quoted-printable
diff -Nru snort-2.4.2/etc/gen-msg.map snort-2.4.3/etc/gen-msg.map
--- snort-2.4.2/etc/gen-msg.map 2005-09-14 21:09:09.000000000 +0200
+++ snort-2.4.3/etc/gen-msg.map 2005-10-16 20:55:28.000000000 +0200
@@ -1,4 +1,4 @@
-# $Id: gen-msg.map,v 1.16.2.2.2.3 2005/09/14 19:09:09 amullican Exp $
+# $Id: gen-msg.map,v 1.16.2.2.2.4 2005/10/16 18:55:28 ssturges Exp $
# GENERATORS -> msg map
# Format: generatorid || alertid || MSG
=20
@@ -22,6 +22,7 @@
105 || 1 || spp_bo: Back Orifice Traffic Detected
105 || 2 || spp_bo: Back Orifice Client Traffic Detected
105 || 3 || spp_bo: Back Orifice Server Traffic Detected
+105 || 4 || spp_bo: Back Orifice Snort Buffer Attack
106 || 1 || spp_rpc_decode: Fragmented RPC Records
106 || 2 || spp_rpc_decode: Multiple Records in one packet
106 || 3 || spp_rpc_decode: Large RPC Record Fragment
diff -Nru snort-2.4.2/etc/snort.conf snort-2.4.3/etc/snort.conf
--- snort-2.4.2/etc/snort.conf 2005-09-28 04:42:26.000000000 +0200
+++ snort-2.4.3/etc/snort.conf 2005-10-17 15:50:55.000000000 +0200
@@ -1,8 +1,8 @@
#--------------------------------------------------
-# http://www.snort.org Snort 2.4.0 config file
+# http://www.snort.org Snort 2.4.3 config file
# Contact: [EMAIL PROTECTED]
#--------------------------------------------------
-# $Id: snort.conf,v 1.144.2.9.2.15 2005/09/16 21:06:34 roesch Exp $
+# $Id: snort.conf,v 1.144.2.9.2.17 2005/10/16 22:21:08 mnorton Exp $
#
###################################################
# This file contains a sample snort configuration.=20
@@ -425,13 +425,24 @@
=20
# bo: Back Orifice detector
# -------------------------
-# Detects Back Orifice traffic on the network. Takes no arguments in 2.0.
+# Detects Back Orifice traffic on the network.
+#
+# arguments: =20
+# syntax:
+# preprocessor bo: noalert { client | server | general | snort_attack =
} \
+# drop { client | server | general | snort_attack }
+# example:
+# preprocessor bo: noalert { general server } drop { snort_attack }
+
#=20
# The Back Orifice detector uses Generator ID 105 and uses the=20
# following SIDS for that GID:
# SID Event description
# ----- -------------------
# 1 Back Orifice traffic detected
+# 2 Back Orifice Client Traffic Detected
+# 3 Back Orifice Server Traffic Detected
+# 4 Back Orifice Snort Buffer Attack
=20
preprocessor bo
=20
diff -Nru snort-2.4.2/src/generators.h snort-2.4.3/src/generators.h
--- snort-2.4.2/src/generators.h 2005-09-14 21:09:10.000000000 +0200
+++ snort-2.4.3/src/generators.h 2005-10-16 20:55:29.000000000 +0200
@@ -1,4 +1,4 @@
-/* $Id: generators.h,v 1.36.4.4 2005/09/14 19:09:10 amullican Exp $ */
+/* $Id: generators.h,v 1.36.4.5 2005/10/16 18:55:29 ssturges Exp $ */
/*
** Copyright (C) 1998-2002 Martin Roesch <[EMAIL PROTECTED]>
**
@@ -55,6 +55,7 @@
#define BO_TRAFFIC_DETECT 1
#define BO_CLIENT_TRAFFIC_DETECT 2
#define BO_SERVER_TRAFFIC_DETECT 3
+#define BO_SNORT_BUFFER_ATTACK 4
=20
#define GENERATOR_SPP_RPC_DECODE 106
#define RPC_FRAG_TRAFFIC 1
@@ -272,6 +273,7 @@
#define BO_TRAFFIC_DETECT_STR "(spo_bo) Back Orifice Traffic detected"
#define BO_CLIENT_TRAFFIC_DETECT_STR "(spo_bo) Back Orifice Client Traffic=
detected"
#define BO_SERVER_TRAFFIC_DETECT_STR "(spo_bo) Back Orifice Server Traffic=
detected"
+#define BO_SNORT_BUFFER_ATTACK_STR "(spo_bo) Back Orifice Snort buffer att=
ack"
=20
#define FNORD_NOPSLED_IA32_STR "(spp_fnord) Possible Mutated IA32 NOP Sled=
detected"
#define FNORD_NOPSLED_HPPA_STR "(spp_fnord) Possible Mutated HPPA NOP Sled=
detected"
diff -Nru snort-2.4.2/src/preprocessors/spp_bo.c snort-2.4.3/src/preprocess=
ors/spp_bo.c
--- snort-2.4.2/src/preprocessors/spp_bo.c 2005-03-16 22:52:18.000000000
+0=
100
+++ snort-2.4.3/src/preprocessors/spp_bo.c 2005-10-16 20:55:29.000000000
+0=
200
@@ -16,7 +16,7 @@
** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, U=
SA.
*/
=20
-/* $Id: spp_bo.c,v 1.18.6.1 2005/03/16 21:52:18 jhewlett Exp $ */
+/* $Id: spp_bo.c,v 1.18.6.2 2005/10/16 18:55:29 ssturges Exp $ */
/* Snort Preprocessor Plugin Source File Bo */
=20
/* spp_bo=20
@@ -100,6 +100,14 @@
* BoRandValues_DefaultKey[6] =3D LocalBoRand() % 256; --> 173 (0xad)
* BoRandValues_DefaultKey[7] =3D LocalBoRand() % 256; --> 29 (0x1d)
*=20
+ * Notes:
+ *=20
+ * 10/13/2005 marc norton - This has a lot of changes to the runtime=20
+ * decoding and testing. The '% 256' op was removed,=20
+ * the xor op is bit wise so modulo is not needed,=20
+ * the char casting truncates to one byte,
+ * and len testing has been modified as was the xor decode copy and=20
+ * final PONG test.
*/
=20
#include <sys/types.h>
@@ -117,6 +125,8 @@
#include "mstring.h"
#include "util.h"
#include "event_queue.h"
+/* In case we need to drop this packet */
+#include "inline.h"
=20
#include "snort.h"
=20
@@ -129,15 +139,31 @@
#define BO_FROM_CLIENT 1
#define BO_FROM_SERVER 2
=20
+#define BO_BUF_SIZE 8
+#define BO_BUF_ATTACK_SIZE 1024
+
+/* Configuration defines */
+#define START_LIST "{"
+#define END_LIST "}"
+#define CONF_SEPARATORS " \t\n\r"
+#define BO_ALERT_GENERAL 0x0001
+#define BO_ALERT_CLIENT 0x0002
+#define BO_ALERT_SERVER 0x0004
+#define BO_ALERT_SNORT_ATTACK 0x0008
+
+
/* list of function prototypes for this preprocessor */
-void BoInit(u_char *);;
+void BoInit(u_char *);
void BoProcess(Packet *);
void BoFind(Packet *, void *);
=20
/* list of private functions */
static int BoGetDirection(Packet *p, char *pkt_data);
static void PrecalcPrefix();
-static int BoRand();
+static char BoRand();
+static void ProcessArgs(u_char *args);
+static int ProcessOptionList(void);
+static void PrintConfig(void);
=20
#define MODNAME "spp_bo"
=20
@@ -149,6 +175,10 @@
int brute_force_enable =3D 1;
int default_key;
=20
+static u_int16_t noalert_flags =3D 0;
+static u_int16_t drop_flags =3D 0;
+
+
u_int16_t lookup1[65536][3];
u_int16_t lookup2[65536];
=20
@@ -185,15 +215,176 @@
*/
void BoInit(u_char *args)
{
- DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN,"Preprocessor: Bo Initialized\n")=
;);
+ static int bIsInitialized =3D 0;
+
+ /* BoInit is re-entrant */
+ if ( !bIsInitialized )
+ {
+ DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN,"Preprocessor: Bo Initialized=
\n"););
+
+ /* we no longer need to take args */
+ PrecalcPrefix();
=20
- /* we no longer need to take args */
- PrecalcPrefix();
+ /* Set the preprocessor function into the function list */
+ AddFuncToPreprocList(BoFind);
+
+ bIsInitialized =3D 1;
+ }
+
+ /* Process argument list */
+ ProcessArgs(args);
+}
+
+
+/*
+ * Function: ProcessArgs(u_char *)
+ *
+ * Purpose: Parse additional config items.
+ *
+ * Arguments: args =3D> ptr to argument string
+ * syntax:
+ * preprocessor bo: noalert { client | server | general | snort_attack=
} \
+ * drop { client | server | general | snort_attack=
}
+ *
+ * example:
+ * preprocessor bo: noalert { general server } drop { snort_attack }
+ *
+ * Returns: void function
+ *
+ */
+static void ProcessArgs(u_char *args)
+{
+ char *arg;
+ =20
+ if ( args =3D=3D NULL )
+ return;
+
+ arg =3D strtok(args, CONF_SEPARATORS);
+ =20
+ while ( arg !=3D NULL )
+ {
+ if ( !strcasecmp("noalert", arg) )
+ {
+ noalert_flags =3D ProcessOptionList();
+ }
+ else if ( !strcasecmp("drop", arg) )
+ {
+ drop_flags =3D ProcessOptionList();
+ }
+ else
+ {
+ FatalError("%s(%d) =3D> Unknown bo option %s.\n",=20
+ file_name, file_line, arg);
+ }
+
+ arg =3D strtok(NULL, CONF_SEPARATORS);
+ }
+
+ PrintConfig();
+
+ return;
+}
+
+
+/*
+ * Function: ProcessOptionList(u_char *)
+ *
+ * Purpose: Parse config list, either "noalert" or "drop".
+ *
+ * Arguments: none, use string from strtok in ProcessArgs
+ *
+ * Returns: AND'ed list of flags based on option list
+ *
+ */
+static int ProcessOptionList(void)
+{
+ char *arg;
+ int retFlags =3D 0;
+
+ arg =3D strtok(NULL, CONF_SEPARATORS);
+
+ if ( arg =3D=3D NULL || strcmp(START_LIST, arg) )
+ {
+ FatalError("%s(%d) =3D> Invalid bo option.\n",=20
+ file_name, file_line); =20
+ return 0;
+ }
+ =20
+ while ( (arg =3D strtok(NULL, CONF_SEPARATORS)) )
+ {
+ if ( !strcmp(END_LIST, arg) )
+ {
+ break;
+ }
+
+ if ( !strcasecmp("general", arg) )
+ {
+ retFlags |=3D BO_ALERT_GENERAL;
+ }
+ else if ( !strcasecmp("client", arg) )
+ {
+ retFlags |=3D BO_ALERT_CLIENT;
+ }
+ else if ( !strcasecmp("server", arg) )
+ {
+ retFlags |=3D BO_ALERT_SERVER;
+ }
+ else if ( !strcasecmp("snort_attack", arg) )
+ {
+ retFlags |=3D BO_ALERT_SNORT_ATTACK;
+ }
+ else
+ {
+ FatalError("%s(%d) =3D> Invalid bo option argument %s.\n",=20
+ file_name, file_line, arg); =20
+ }
+ }
=20
- /* Set the preprocessor function into the function list */
- AddFuncToPreprocList(BoFind);
+ return retFlags;
}
=20
+/*
+ * Function: PrintConfig(u_char *)
+ *
+ * Purpose: Print configuration
+ *
+ * Arguments: none
+ *
+ * Returns: none
+ *
+ */
+static void PrintConfig(void)
+{
+ if ( noalert_flags !=3D 0 || drop_flags !=3D 0 )
+ LogMessage("Back Orifice Config:\n");
+ =20
+ if ( noalert_flags !=3D 0 )
+ {
+ LogMessage(" Disable alerts:");
+ if ( noalert_flags & BO_ALERT_CLIENT )
+ LogMessage(" client");
+ if ( noalert_flags & BO_ALERT_SERVER )
+ LogMessage(" server");
+ if ( noalert_flags & BO_ALERT_GENERAL )
+ LogMessage(" general");
+ if ( noalert_flags & BO_ALERT_SNORT_ATTACK )
+ LogMessage(" snort_attack");
+ LogMessage("\n");
+ }
+ if ( drop_flags !=3D 0 )
+ {
+ LogMessage(" Drop packets (inline only) on alerts:");
+ if ( drop_flags & BO_ALERT_CLIENT )
+ LogMessage(" client");
+ if ( drop_flags & BO_ALERT_SERVER )
+ LogMessage(" server");
+ if ( drop_flags & BO_ALERT_GENERAL )
+ LogMessage(" general");
+ if ( drop_flags & BO_ALERT_SNORT_ATTACK )
+ LogMessage(" snort_attack");
+ LogMessage("\n");
+ }
+}
=20
/*
* Function: BoRand()
@@ -204,9 +395,10 @@
*
* Returns: key to XOR with current char to be "encrypted"
*/
-static int BoRand()
+static char BoRand()
{
- return(((holdrand =3D holdrand * 214013L + 2531011L) >> 16) & 0x7fff);
+ holdrand =3D holdrand * 214013L + 2531011L;
+ return (char) (((holdrand >> 16) & 0x7fff) & 0xFF);
}
=20
=20
@@ -233,7 +425,7 @@
/* convert the plaintext cookie to cyphertext for this key */
for(cookie_index=3D0;cookie_index<BACKORIFICE_MAGIC_SIZE;cookie_in=
dex++)
{
- cookie_cyphertext[cookie_index] =3D(u_int8_t)(*cp_ptr^(BoRand(=
)%256));
+ cookie_cyphertext[cookie_index] =3D(u_int8_t)(*cp_ptr^(BoRand(=
)));
cp_ptr++;
}
=20
@@ -285,6 +477,7 @@
*
* Returns: void function
*
+ *
*/
void BoFind(Packet *p, void *context)
{
@@ -347,13 +540,13 @@
if(lookup2[key] =3D=3D cyphertext_suffix)
{
holdrand =3D key;
- pkt_data =3D p->data;
- end =3D p->data + BACKORIFICE_MAGIC_SIZE;
+ pkt_data =3D (char*)p->data;
+ end =3D (char*)p->data + BACKORIFICE_MAGIC_SIZE;
magic_data =3D magic_cookie;
=20
while(pkt_data<end)
{
- plaintext =3D (char) (*pkt_data ^ (BoRand()%256));
+ plaintext =3D (char) (*pkt_data ^ BoRand());
=20
if(*magic_data !=3D plaintext)
{
@@ -376,20 +569,44 @@
=20
if ( bo_direction =3D=3D BO_FROM_CLIENT )
{
- SnortEventqAdd(GENERATOR_SPP_BO, BO_CLIENT_TRAFFIC_DETECT,=
1, 0, 0,
- BO_CLIENT_TRAFFIC_DETECT_STR, 0);
+ if ( !(noalert_flags & BO_ALERT_CLIENT) )
+ {
+ SnortEventqAdd(GENERATOR_SPP_BO, BO_CLIENT_TRAFFIC_DET=
ECT, 1, 0, 0,
+ BO_CLIENT_TRAFFIC_DETECT_STR, =
0);
+ }
+ if ( (drop_flags & BO_ALERT_CLIENT) && InlineMode() )
+ {
+ p->packet_flags |=3D PKT_INLINE_DROP;
+ InlineDrop();
+ }
DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN, "Client packet\n"););
}
else if ( bo_direction =3D=3D BO_FROM_SERVER )
{
- SnortEventqAdd(GENERATOR_SPP_BO, BO_SERVER_TRAFFIC_DETECT,=
1, 0, 0,
- BO_SERVER_TRAFFIC_DETECT_STR, 0);
+ if ( !(noalert_flags & BO_ALERT_SERVER) )
+ {
+ SnortEventqAdd(GENERATOR_SPP_BO, BO_SERVER_TRAFFIC_DET=
ECT, 1, 0, 0,
+ BO_SERVER_TRAFFIC_DETECT_STR, =
0);
+ }
+ if ( (drop_flags & BO_ALERT_SERVER) && InlineMode() )
+ {
+ p->packet_flags |=3D PKT_INLINE_DROP;
+ InlineDrop();
+ }
DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN, "Server packet\n"););
}
else
{
- SnortEventqAdd(GENERATOR_SPP_BO, BO_TRAFFIC_DETECT, 1, 0, =
0,
- BO_TRAFFIC_DETECT_STR, 0);
+ if ( !(noalert_flags & BO_ALERT_GENERAL) )
+ {
+ SnortEventqAdd(GENERATOR_SPP_BO, BO_TRAFFIC_DETECT, 1,=
0, 0,
+ BO_TRAFFIC_DETECT_STR, 0);
+ }
+ if ( (drop_flags & BO_ALERT_GENERAL) && InlineMode() )
+ {
+ p->packet_flags |=3D PKT_INLINE_DROP;
+ InlineDrop();
+ }
} =20
}
}
@@ -412,14 +629,15 @@
*
* Reference: http://www.magnux.org/~flaviovs/boproto.html
* BO header structure:
- * Mnemonic Size in bytes
+ * Mnemonic Size in bytes
* -------------------------
- * MAGIC 8
- * LEN 4
- * ID 4
- * T 1
- * DATA variable
- * CRC 1
+ * MAGIC 8
+ * LEN 4
+ * ID 4
+ * T 1
+ * DATA variable
+ * CRC 1
+ *
*/
static int BoGetDirection(Packet *p, char *pkt_data)
{
@@ -427,11 +645,9 @@
u_int32_t id =3D 0;
u_int32_t l, i;
char type;
- char buf1[1024];
- char buf2[1024];
- char *buf_ptr;
+ static char buf1[BO_BUF_SIZE];
char plaintext;
-
+ =20
/* Check for the default port on either side */
if ( p->dp =3D=3D BACKORIFICE_DEFAULT_PORT )
{
@@ -447,7 +663,7 @@
/* Get length from BO header - 32 bit int */
for ( i =3D 0; i < 4; i++ )
{
- plaintext =3D (char) (*pkt_data ^ (BoRand()%256));
+ plaintext =3D (char) (*pkt_data ^ BoRand());
l =3D (u_int32_t) plaintext;
len +=3D l << (8*i);
pkt_data++;
@@ -456,22 +672,57 @@
/* Get ID from BO header - 32 bit int */
for ( i =3D 0; i < 4; i++ )
{
- plaintext =3D (char) (*pkt_data ^ (BoRand()%256));
+ plaintext =3D (char) (*pkt_data ^ BoRand() );
l =3D ((u_int32_t) plaintext) & 0x000000FF;
id +=3D l << (8*i);
pkt_data++;
}
=20
- DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN, "Length =3D %lu\n", len););
+ DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN, "Data length =3D %lu\n", len););
+ DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN, "ID =3D %lu\n", id););
+
+ /* Do more len checking */
+ =20
+ if ( len >=3D BO_BUF_ATTACK_SIZE )
+ {
+ if ( !(noalert_flags & BO_ALERT_SNORT_ATTACK) )
+ {
+ SnortEventqAdd(GENERATOR_SPP_BO, BO_SNORT_BUFFER_ATTACK, 1, 0,=
0,
+ BO_SNORT_BUFFER_ATTACK_STR, 0);
+ }
+ if ( (drop_flags & BO_ALERT_SNORT_ATTACK) && InlineMode() )
+ {
+ p->packet_flags |=3D PKT_INLINE_DROP;
+ InlineDrop();
+ }
+
+ return BO_FROM_UNKNOWN;
+ }
=20
/* Adjust for BO packet header length */
- len -=3D 18;
+ len -=3D BACKORIFICE_MIN_SIZE;
=20
- DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN, "Data length =3D %lu\n", len););
- DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN, "ID =3D %lu\n", id););
+ if( len =3D=3D 0 )
+ {
+ /* Need some data, or we can't figure out client or server */
+ return BO_FROM_UNKNOWN;=20
+ }
+ =20
+ if( len > 7 )
+ {
+ len =3D 7; /* we need no more than 7 variable chars */
+ }
=20
+ /* length must be 7 OR LESS due to above logic */
+ =20
+ if( p->dsize < len )
+ {
+ /* We don't have enough data to inspect */
+ return BO_FROM_UNKNOWN;
+ }
+ =20
/* Continue parsing BO header */
- type =3D (char) (*pkt_data ^ (BoRand()%256));
+ type =3D (char) (*pkt_data ^ BoRand());
pkt_data++;
=20
if ( type & 0x80 )
@@ -488,37 +739,27 @@
=20
DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN, "Type =3D 0x%x\n", type););
=20
- /* Only examine data if this a ping request or response */
+ /* Only examine data if this is a ping request or response */
if ( type =3D=3D BO_TYPE_PING )
{
- i =3D 0;
- buf_ptr =3D buf1;
- *buf1 =3D 0;
- *buf2 =3D 0;
- /* Decrypt data */
- while ( i < len )
- {
- plaintext =3D (char) (*pkt_data ^ (BoRand()%256));
- *buf_ptr =3D plaintext;
- i++;
- pkt_data++;
- buf_ptr++;
- if ( plaintext =3D=3D 0 )
- buf_ptr =3D buf2;
- }
- /* null-terminate string */
- *buf_ptr =3D 0;
-
- DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN, "buf1 =3D %s\n", buf1););
-
- if ( *buf2 !=3D 0 )
- {
- DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN, "buf2 =3D %s\n", buf2););
- }
-
- DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN, "crc =3D 0x%x\n", (char) (*p=
kt_data ^ (BoRand()%256))););
- =20
- if ( len > 4 && !strncasecmp((buf1+3), "PONG", 4) )
+ if ( len < 7 )
+ {
+ return BO_FROM_CLIENT;
+ }
+
+ for(i=3D0;i<len;i++ ) /* start at 0 to advance the BoRand() functi=
on properly */
+ {
+ buf1[i] =3D (char) (pkt_data[i] ^ BoRand());
+ if ( buf1[i] =3D=3D 0 )
+ {
+ return BO_FROM_UNKNOWN;=20
+ }
+ }
+
+ if( ( buf1[3] =3D=3D 'P' || buf1[3] =3D=3D 'p' ) &&
+ ( buf1[4] =3D=3D 'O' || buf1[4] =3D=3D 'o' ) &&=20
+ ( buf1[5] =3D=3D 'N' || buf1[5] =3D=3D 'n' ) &&=20
+ ( buf1[6] =3D=3D 'G' || buf1[6] =3D=3D 'g' ) )
{
return BO_FROM_SERVER;
}
@@ -526,6 +767,7 @@
{
return BO_FROM_CLIENT;
}
- }
+ }=20
+ =20
return BO_FROM_UNKNOWN;
}
--yrj/dFKFPuw6o+aM--
--oLBj+sq0vYjzfsbl
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFDVXMVsandgtyBSwkRAoGSAJ9vCvQHZGxs4ZnUDYwDfCTuMHfk+ACeLpgD
y5GcXOBHCrZly/4gPJYExsA=
=eCpS
-----END PGP SIGNATURE-----
--oLBj+sq0vYjzfsbl--
---------------------------------------
Received: (at 334606-close) by bugs.debian.org; 28 Oct 2005 16:03:51 +0000
>From [EMAIL PROTECTED] Fri Oct 28 09:03:51 2005
Return-path: <[EMAIL PROTECTED]>
Received: from 148.red-213-96-98.staticip.rima-tde.net (javifsp.no-ip.org)
[213.96.98.148] (Debian-exim)
by spohr.debian.org with esmtp (Exim 3.36 1 (Debian))
id 1EVWhr-0004km-00; Fri, 28 Oct 2005 09:03:51 -0700
Received: from jfs by javifsp.no-ip.org with local (Exim 4.54)
id 1EVWhp-0000Oe-6w; Fri, 28 Oct 2005 18:03:49 +0200
Date: Fri, 28 Oct 2005 18:03:49 +0200
From: Javier =?iso-8859-1?Q?Fern=E1ndez-Sanguino_Pe=F1a?= <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED], [EMAIL PROTECTED]
Subject: Re: snort: Remote buffer overflow in the 'bo' preprocessor
Message-ID: <[EMAIL PROTECTED]>
Mail-Followup-To: [EMAIL PROTECTED], [EMAIL PROTECTED]
References: <[EMAIL PROTECTED]>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="8t9RHnE3ZwKMSgU+"
Content-Disposition: inline
In-Reply-To: <[EMAIL PROTECTED]>
User-Agent: Mutt/1.5.11
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-3.0 required=4.0 tests=BAYES_00 autolearn=no
version=2.60-bugs.debian.org_2005_01_02
--8t9RHnE3ZwKMSgU+
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
> I'm still investigating the issue to see if it affects the sarge, etch and
> sid versions (we are not using the bo preprocessor from 2.4, which seems =
to
> be the one vulnerable).=20
After investigating this issue, checking the source code changes and testin=
g the
available exploits, I conclude that this bug is *not* present in our Snort
release.
I am thus closing this bug.=20
FWIW this vulnerability was named CVE-2005-3252 and we are not affected by
it.
Regards
Javier
--8t9RHnE3ZwKMSgU+
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFDYkvlsandgtyBSwkRApkaAJ9FfLnezlbrOIhOZYolhWGFzEdFTgCfWPs4
hErqeYkFqUcTAWeQLkIbpOU=
=kOdq
-----END PGP SIGNATURE-----
--8t9RHnE3ZwKMSgU+--
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
