Thursday, December 23, 2004

Details on the Snort DoS Condition

You may have heard of an exploit for a denial of service condition in Snort. In short, according to Snort.org, "You are only vulnerable if you are running snort with "FAST" output (which isn't very fast) or in verbose mode... Using barnyard? Using snortdb? You are not vulnerable."

Exploit code is here:

http://www.k-otik.com/exploits/20041222.angelDust.c.php

Lurking in #snort and #snort-gui on irc.freenode.net, I learned the following about this vulnerability by listening to Marty. I hope he doesn't mind being quoted in the hopes of getting this information out to reassure the community:

roesch: it's a bug that gets manifested by the packet printers in log.c
roesch: if you use the -v switch when you run snort you can
have a problem, if you're not running the tcp protocol
printer in log.c (i.e. using the -v switch or logging in
default ascii logging mode) then you're not affected
roesch: so if you're running snort as an IDS (which most
people are) then you're fine
roesch: the problem is that we increment the opt_count too
early in DecodeTCPOptions
roesch: it crashes when the null ptr is dereferenced in
PrintTcpOptions
roesch: a null ptr deref is where we try to look at memory
at address 0 on the computer and it tells us to pi$$ off
roesch: basically
roesch: the problem is on line 3035 of decode.c
roesch: the crash comes on line 1556 of log.c for angeldust
roesch: doesn't seem to be any way to whack
tcp_options[].data pointer
roesch: so I don't think it's remotely exploitable