Snort GRE报文解码整数溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1192130 漏洞类型 设计错误
发布时间 2007-01-16 更新时间 2007-01-17
CVE编号 CVE-2007-0251 CNNVD-ID CNNVD-200701-203
漏洞平台 N/A CVSS评分 7.8
|漏洞来源
https://cxsecurity.com/issue/WLB-2007010080
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200701-203
|漏洞详情
Snort是Snort团队的一套网络入侵预防软件与网络入侵检测软件。该软件提供数据包嗅探、数据包分析和数据包检测等功能。很多其他IDS产品中也使用了Snort及其组件。Snort的decode.c文件中DecodeGRE()函数在解码GRE协议时存在整数溢出漏洞,攻击者可能利用此漏洞获取某些敏感信息。漏洞相关代码如下:==BEGINCODE==...(line3459decode.c)voidDecodeGRE(u_int8_t*pkt,constu_int32_tlen,Packet*p){u_int8_tflags;u_int32_thlen;/*GREheaderlength*/u_int32_tpayload_len;...payload_len=len-hlen;(calculationforpayload_lenisdonehere)...switch(ntohs(p->greh->ether_type))(line3597decode.c){...default:(line3625decode.c)pc.other++;p->data=pkt+hlen;p->dsize=(u_short)payload_len;(truncatespayload_lento65XXX)return;}...==ENDCODE==payload_len、len和hlen都是32位的无符整型。特制的GRE报文会触发整数下溢,导致payload_len回绕成为非常大的数值。如果使用了GRE头中正确的协议字段的话,攻击者就会到达decode.c的3627行,该行将payload_len做为无符short型分配给p->dsize,这能将payload_len截短到大约65535。必须以--enable-gre选项编译了Snort且以-d选项运行才能利用这个漏洞dump每个报文的应用层内容。如果接收到了恶意报文,Snort就会在内存中报文长度以外读取和记录数据,导致泄漏可能包含有其他报文内容、Snort规则和各种Snort数据结构的内存部分。
|漏洞EXP
Calyptix Security Advisory CX-2007-001
Date: 01/11/2007
http://www.calyptix.com/
http://labs.calyptix.com/advisories/CX-2007-01.txt

[ Overview ]

Snort 2.6.1.2 is vulnerable to an integer underflow that allows a
remote attacker to cause Snort to read beyond a specified length of
memory, potentially corrupting logfiles.

[ Risk ]

Calyptix Security has classified this vulnerability as 'Low Risk' as
the vulnerable code will not be compiled by default. Please see the
analysis section for more details.

[ Patch / Fix / Workaround ]

Sourcefire has released a fix for this vulnerability in Snort's current CVS
tree.

[ Analysis ]

Snort 2.6.1.2 has support for decoding the Generic Routing
Encapsulation (GRE) protocol. GRE is used to encapsulate arbitrary
protocols to a remote host. The vulnerability in Snort's parsing
engine is located in the function DecodeGRE() in decode.c

==BEGIN CODE==
...
(line 3459 decode.c)
void DecodeGRE(u_int8_t *pkt, const u_int32_t len, Packet *p)
{
    u_int8_t flags;
    u_int32_t hlen;    /* GRE header length */
    u_int32_t payload_len;
...
payload_len = len - hlen;	(calculation for payload_len is done here)
...
switch (ntohs(p->greh->ether_type))	(line 3597 decode.c)
    {
...
        default:			(line 3625 decode.c)
            pc.other++;
            p->data = pkt + hlen;
            p->dsize = (u_short)payload_len;  (truncates payload_len to 65XXX)
            return;
    }
...
==END CODE==

'payload_len', 'len' and 'hlen' are all 32-bit unsigned integer
types. A specially crafted GRE packet will trigger an integer
underflow, causing 'payload_len' to wrap around and become a very
large number. If the correct protocol field in the GRE header is
used, the attacker can reach line 3627 of decode.c, which assigns
'payload_len' as an unsigned short to p->dsize. This truncates
payload_len to around 65535. In order to exploit the vulnerability,
Snort must be compiled with '--enable-gre' and run with the '-d'
flag to dump the application layer content of each packet. Upon
receiving the malicious packet, Snort will read and log beyond the
packet's length in memory. This will leak other portions of memory
that may contain the contents of other packets, Snort rules, and
various Snort data structures.

[ Disclosure Timeline ]

01/06/2007 - Vulnerability Discovered
01/08/2007 - Sourcefire, Inc. Contacted
01/11/2007 - Sourcefire Released Fix in Snort CVS
01/11/2007 - Public Disclosure

[ Credit ]

Chris Rohlf of Calyptix Security discovered this vulnerability.

[ Contact ]

You can contact Calyptix Security about this vulnerability by e-mailing
 advisories2007 (at) calyptix (dot) com [email concealed]

[ About Calyptix Security ]

Calyptix Security, founded in 2002, is located in Charlotte, North
Carolina. Our Unified Threat Management (UTM) product, the
AccessEnforcer (TM), is used by customers to protect their network
infrastructure from security threats and is the only security
appliance in the market that deploys DyVax (TM), our patent-pending
signatureless inspection engine. The AccessEnforcer provides our
customers all available gateway security features, including VPN,
Firewall, IPS/IDS, Anti-Virus, E-Mail Filtering, Web Filtering, and
IM management, for a single price with no add-ons and no hidden
costs.

[ Legal Notice ]

Calyptix Security grants each recipient of this advisory permission
to redistribute this advisory in electronic or other written medium
without modification.  This advisory may not be modified without the
express written consent of Calyptix Security.  If the recipient
wishes to modify the advisory in any manner or redistribute the
contents of this advisory other than by way of an exact written or
electronic transmission hereof, please email
advisories2007 (at) calyptix (dot) com [email concealed] for such permission.

The information in this advisory is believe to be accurate at the
time of publication based upon currently available information. Use
of this information constitutes acceptance for use in an AS IS
condition.  There are no warranties with regard to any information
in this advisory.  None of the author, the publisher nor Calyptix
Security (nor any of their employees, affiliates or agents) accepts
or has any liability for any direct, indirect or consequential loss
or damage arising from the use of, or reliance on, any information
contained in this advisory.
|参考资料

来源:www.snort.org
链接:http://www.snort.org/got_source/source.html
来源:BID
名称:22004
链接:http://www.securityfocus.com/bid/22004
来源:BUGTRAQ
名称:20070111CalyptixSecurityAdvisoryCX-2007-001-Snort2.6.1.2IntegerUnderflowVulnerability
链接:http://www.securityfocus.com/archive/1/archive/1/456598/100/0/threaded
来源:OSVDB
名称:33464
链接:http://osvdb.org/33464
来源:OSVDB
名称:32095
链接:http://osvdb.org/32095
来源:MISC
链接:http://labs.calyptix.com/advisories/CX-2007-01.txt
来源:VUPEN
名称:ADV-2007-0152
链接:http://www.frsirt.com/english/advisories/2007/0152
来源:SECTRACK
名称:1017507
链接:http://securitytracker.com/id?1017507
来源:SREASON
名称:2165
链接:http://securityreason.com/securityalert/2165
来源:NSFOCUS
名称:9805
链接:http://www.nsfocus.net/vulndb/9805