Calyptix Security Advisory CX-2007-001 Date: 01/11/2007 http://www.calyptix.com/ http://labs.calyptix.com/advisories/CX-2007-01.txt [ Overview ] Snort 2.6.1.2 is vulnerable to an integer underflow that allows a remote attacker to cause Snort to read beyond a specified length of memory, potentially corrupting logfiles. [ Risk ] Calyptix Security has classified this vulnerability as 'Low Risk' as the vulnerable code will not be compiled by default. Please see the analysis section for more details. [ Patch / Fix / Workaround ] Sourcefire has released a fix for this vulnerability in Snort's current CVS tree. [ Analysis ] Snort 2.6.1.2 has support for decoding the Generic Routing Encapsulation (GRE) protocol. GRE is used to encapsulate arbitrary protocols to a remote host. The vulnerability in Snort's parsing engine is located in the function DecodeGRE() in decode.c ==BEGIN CODE== ... (line 3459 decode.c) void DecodeGRE(u_int8_t *pkt, const u_int32_t len, Packet *p) { u_int8_t flags; u_int32_t hlen; /* GRE header length */ u_int32_t payload_len; ... payload_len = len - hlen; (calculation for payload_len is done here) ... switch (ntohs(p->greh->ether_type)) (line 3597 decode.c) { ... default: (line 3625 decode.c) pc.other++; p->data = pkt + hlen; p->dsize = (u_short)payload_len; (truncates payload_len to 65XXX) return; } ... ==END CODE== 'payload_len', 'len' and 'hlen' are all 32-bit unsigned integer types. A specially crafted GRE packet will trigger an integer underflow, causing 'payload_len' to wrap around and become a very large number. If the correct protocol field in the GRE header is used, the attacker can reach line 3627 of decode.c, which assigns 'payload_len' as an unsigned short to p->dsize. This truncates payload_len to around 65535. In order to exploit the vulnerability, Snort must be compiled with '--enable-gre' and run with the '-d' flag to dump the application layer content of each packet. Upon receiving the malicious packet, Snort will read and log beyond the packet's length in memory. This will leak other portions of memory that may contain the contents of other packets, Snort rules, and various Snort data structures. [ Disclosure Timeline ] 01/06/2007 - Vulnerability Discovered 01/08/2007 - Sourcefire, Inc. Contacted 01/11/2007 - Sourcefire Released Fix in Snort CVS 01/11/2007 - Public Disclosure [ Credit ] Chris Rohlf of Calyptix Security discovered this vulnerability. [ Contact ] You can contact Calyptix Security about this vulnerability by e-mailing advisories2007 (at) calyptix (dot) com [email concealed] [ About Calyptix Security ] Calyptix Security, founded in 2002, is located in Charlotte, North Carolina. Our Unified Threat Management (UTM) product, the AccessEnforcer (TM), is used by customers to protect their network infrastructure from security threats and is the only security appliance in the market that deploys DyVax (TM), our patent-pending signatureless inspection engine. The AccessEnforcer provides our customers all available gateway security features, including VPN, Firewall, IPS/IDS, Anti-Virus, E-Mail Filtering, Web Filtering, and IM management, for a single price with no add-ons and no hidden costs. [ Legal Notice ] Calyptix Security grants each recipient of this advisory permission to redistribute this advisory in electronic or other written medium without modification. This advisory may not be modified without the express written consent of Calyptix Security. If the recipient wishes to modify the advisory in any manner or redistribute the contents of this advisory other than by way of an exact written or electronic transmission hereof, please email advisories2007 (at) calyptix (dot) com [email concealed] for such permission. The information in this advisory is believe to be accurate at the time of publication based upon currently available information. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to any information in this advisory. None of the author, the publisher nor Calyptix Security (nor any of their employees, affiliates or agents) accepts or has any liability for any direct, indirect or consequential loss or damage arising from the use of, or reliance on, any information contained in this advisory.