Full Disclosure mailing list archives
Senseless Buffer Overflow in SNOSOFT.COM IDS Suite
From: "snosoft () ziplip com" <snosoft () ziplip com>
Date: Sat, 15 Nov 2003 15:44:35 -0800 (PST)
Secure Network Operations, Inc. http://www.secnetops.com/research Strategic Reconnaissance Team research () secnetops com Team Lead Contact kf () secnetops com Our Mission: ************************************************************************ Secure Network Operations offers expertise in Networking, Intrusion Detection Systems (IDS), Software Security Validation, and Corporate/Private Network Security. Our mission is to facilitate a secure and reliable Internet and inter-enterprise communications infrastructure through the products and services we offer. Amongst which the expertise of 15 year old efnet hackers who are allowed to operate under the guise of a single person's clearance level. We encourage our staff's vivid imaginations and we feel that playing spook is very much a teambuilding endeavour, not much unlike corporate paintball. To learn more about our company, products and services or to request a demo of ANVIL FCS please visit our site athttp://www.secnetops.com, or call us at: 978-263-3829 Quick Summary: ************************************************************************ Advisory Number : SRT2003-11-14-0911 Product : Snosoft Anvil IDS Suite Version : All of 'em. Vendor : http://twdx.secnetops.com/service Class : Local Criticality : High (to our one customer) Operating System(s) : FreeBSD Notice ************************************************************************ The full technical details of this vulnerability can be found at: http://www.secnetops.com under the research section. Basic Explanation ************************************************************************ High Level Description : Our best of security professionals understand that strncpy is a safe function, so using it for our primary input assures that we are secure throughout the rest of our code. What to do : To adequately protect yourself from threats, we recommend that our one customer terminate their contract with us and use Mike Schiffman as their sole security provider. Basic Technical Details ************************************************************************ Proof Of Concept Status : SNO has no concept. Low Level Description : ANVIL is an overpriced IDS suite, that is for all practical purposes nothing more than Snort repackaged on a FreeBSD livecd, that logs to a mysql database using stunnel for added security. Essentially the only piece of unique code in this IDS suite, written by the Snosoft Secure Network Something Team, is called ip-to-hex.c. Since the program is short, we will include the entire GPL'd source code in our advisory so that the world can understand how gifted we are as both programmers and security experts. We at SNO (Secure Network Operations) understand that every programmer has two modes. Secure mode and insecure mode. And allthough our teenybopper staff severely screwed up this non critical application we assure you that they would never make similar mistakes in critical applications. It does not indicate that we didn't audit SNORT before shamelessly repackaging it and providing it with a "convenient single-target enviroment." /* Apex Intrusion Detection Solution (TM) Copyright (C) 2003, Secure Network Operations, Inc. All rights reserved. ------------------------------------------------------------------------- http://www.secnetops.com Compile gcc -o iptohex iptohex.c usage: ./iptohex <IP-V4-ADDRESS> Released under the GNU Public License. */ #include <curses.h> #include <stdio.h> #include <string.h> char *ip(char *ip,char *iphex) { char buf[80],buf2[80]; int p=0,i=0; iphex[0] = 0; while(ip[p] != 0) { i=0; while(ip[p] != '.' && ip[p] != 0) { buf[i++]=ip[p++]; } buf[i] = 0; sprintf(buf2,"%02X",atoi(buf)); strcat(iphex,buf2); if (ip[p] != 0) p++; } return iphex; } int main(int argc, char *argv[]) { char buf[128]; char mkch[128]; if(argc == 1) { printf("usage : iptohex [ip address]\n"); printf("return: hex\n"); exit(0); } strncpy(mkch, argv[1], 128); printf("Ox%s\n",ip(mkch,buf)); return 0; } To begin tracing the bug down, compile the software and run it with a long string of A's generated with perl -e on the command line. If you use enough A's, it should crash. In the spirit of full disclosure, we will allow the community to help track down all the issues with the program, and maybe help us better understand the very languages that we are experts at. Vendor Status : Currently awaiting the assistance of community members to help us track down why the program is crashing, before we can issue a fix and send the latest version of the ANVIL livecd to our customer. Bugtraq URL : To be assigned. CVE candidate CAN-2003-0911. Special thanks to iDefense for allowing our "company" to participate in the profiling of the Phrack High Council. In the end, it seems we are the ones that got "reconned", and that there are probably better sources of "intelligence" than either Snosoft or iDefense. Disclaimer ---------------------------------------------------------------------- This advisory was released by Secure Network Operations,Inc. as a matter of notification to help administrators protect their networks against the described vulnerability. Exploit source code is no longer released in our advisories but can be obtained under contract.. Contact our sales department at sales () secnetops com for further information on how to obtain proof of concept code. ---------------------------------------------------------------------- Secure Network Operations, Inc. || http://www.secnetops.com "The act of reconning is a race condition; we attempt to recon you before you recon us, but we aren't always as successful as we'd like." _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Senseless Buffer Overflow in SNOSOFT.COM IDS Suite snosoft () ziplip com (Nov 15)