Re: snort crash ...

[K2 <ktwo () KTWO CA>]

Hi, I'm here at defcon and I tracked down the snort author, and the
defragmentation engine author.... here's some nfo's...

The defragger has had a major patch on Jul 26 that fixed a stack
corruption problem.  The important thing to check on this crash is
whether the defragmention preprocessor was enabled, (if so then likely
this problem has been fixed, in the latest beta 14 of the defragger).
If not there is a known issue with some icmp/igmp handling ... some
of which has also been patched recently, by the snort author
Marty Roesch.

To check if the defragger is enabled you have to look for a line
in the snort rules file that says "preprocessor defrag".

If this is not the case, you should probably contact the snort defragger
author at dr () dursec com becaquse it means this is a new unknown problem.


PS. defcon is over tomarrow, give everybody a day or so to recover and
then there should be some more definitive info for you all :)


K2/dragos @defcon


On Fri, 28 Jul 2000, MMS26 wrote:

> On Tue, 25 Jul 2000, Fabio Pietrosanti wrote:
>
> yeh... it opens a raw socket, presumably for the igmp you logged below,
> but i have no idea why... i mailed marty roesch ( who is generally really
> good about responding to these types of issues ) for more details...
>
> > Date: Tue, 25 Jul 2000 13:07:17 +0200
> > From: Fabio Pietrosanti <fabio () TELEMAIL IT>
> > Reply-To: naif () inet it
> > To: VULN-DEV () SECURITYFOCUS COM
> > Subject: snort crash ...
> >
> > hi look here...
> >
> > Jul 25 12:59:16 naif libsafe.so[7023]: version 1.3
> > Jul 25 12:59:16 naif libsafe.so[7023]: detected an attempt to write across
> > stack boundary.
> > Jul 25 12:59:16 naif libsafe.so[7023]: terminating /usr/local/sbin/snort
> > Jul 25 12:59:16 naif libsafe.so[7023]: overflow caused by memcpy()
> >
> >
> > i try to find why it crash, and it appens when on my network transit igmp
> > fragment like this
> > 13:03:25.733060 127.0.0.1 > 151.20.148.103: igmp-2 [v0][|igmp] (frag
> > 27565:410@0+)
> > 13:03:25.733702 127.0.0.1 > 151.20.148.103: (frag 27565:410@8+)
> > 13:03:25.745060 127.0.0.1 > 151.20.148.103: igmp-2 [v0][|igmp] (frag
> > 27565:410@0+)
> > 13:03:25.745389 127.0.0.1 > 151.20.148.103: (frag 27565:410@8+)
> > 13:03:25.764985 127.0.0.1 > 151.20.148.103: igmp-2 [v0][|igmp] (frag
> > 27565:410@0+)
> > 13:03:25.765303 127.0.0.1 > 151.20.148.103: (frag 27565:410@8+)
> >
> >
> > i start a strace on snort's pid and this is the output when it crash:
> > recvfrom(3, "\377\377\377\377\377\377\0\20Z\372"..., 1564, 0,
> > {sun_family=AF_UNIX, sun_path="eth0"}, [18]) = 243
> > ioctl(3, SIOCGSTAMP, 0xbffff8c0)        = 0
> > write(1, "07/25-12:59:14.177329 194.185.73"..., 62) = 62
> > write(1, "UDP TTL:128 TOS:0x0 ID:60408 \n", 30) = 30
> > write(1, "Len: 209\n", 9)               = 9
> > write(1, "=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+"..., 67) = 67
> > recvfrom(3, "\377\377\377\377\377\377\0`\10\304"..., 1564, 0,
> > {sun_family=AF_UNIX, sun_path="eth0"}, [18]) = 249
> > ioctl(3, SIOCGSTAMP, 0xbffff8c0)        = 0
> > write(1, "07/25-12:59:14.177794 194.185.73"..., 62) = 62
> > write(1, "UDP TTL:32 TOS:0x0 ID:58686 \n", 29) = 29
> > write(1, "Len: 215\n", 9)               = 9
> > write(1, "=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+"..., 67) = 67
> > recvfrom(3, "\1\200\302\0\0\0\0P\275q\267\223"..., 1564, 0,
> > {sun_family=AF_UNIX, sun_path="eth0"}, [18]) = 60
> > ioctl(3, SIOCGSTAMP, 0xbffff8c0)        = 0
> > recvfrom(3, "\3\0\0\0\0\1\0\240$[\243\26\0\255"..., 1564, 0,
> > {sun_family=AF_UNIX, sun_path="eth0"}, [18]) = 187
> > ioctl(3, SIOCGSTAMP, 0xbffff8c0)        = 0
> > recvfrom(3, "\0\260\216n\3408\0P\332>t?\10\0E"..., 1564, 0,
> > {sun_family=AF_UNIX, sun_path="eth0"}, [18]) = 444
> > ioctl(3, SIOCGSTAMP, 0xbffff8c0)        = 0
> > write(1, "07/25-12:59:16.466164 127.0.0.1 "..., 50) = 50
> > write(1, "Proto: 2 TTL:255 TOS:0x0 ID:2756"..., 38) = 38
> > write(1, "Frag Offset: 0x0   Frag Size: 0x"..., 36) = 36
> > write(1, "=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+"..., 67) = 67
> > brk(0x8373000)                          = 0x8373000
> > readlink("/proc/self/exe", "/usr/local/sbin/snort", 4094) = 21
> > brk(0x8376000)                          = 0x8376000
> > time([964522756])                       = 964522756
> > getpid()                                = 7023
> > rt_sigaction(0xd, 0xbfffe158, 0xbfffe0cc, 0x8, 0xd) = 0
> > socket(PF_UNIX, SOCK_DGRAM, 0)          = 7
> > fcntl(7, F_SETFD, FD_CLOEXEC)           = 0
> > connect(7, {sun_family=AF_UNIX, sun_path="/dev/log"}, 16) = -1 EPROTOTYPE
> > (Protocol wrong type for socket)
> > close(7)                                = 0
> > socket(PF_UNIX, SOCK_STREAM, 0)         = 7
> > fcntl(7, F_SETFD, FD_CLOEXEC)           = 0
> > connect(7, {sun_family=AF_UNIX, sun_path="/dev/log"}, 16) = 0
> > send(7, "<82>Jul 25 12:59:16 libsafe.so[7"..., 50, 0) = 50
> > rt_sigaction(0xd, 0xbfffe15c, 0, 0x8, 0xd) = 0
> > time([964522756])                       = 964522756
> > getpid()                                = 7023
> > rt_sigaction(0xd, 0xbfffe170, 0xbfffe0e4, 0x8, 0xd) = 0
> > send(7, "<82>Jul 25 12:59:16 libsafe.so[7"..., 90, 0) = 90
> > rt_sigaction(0xd, 0xbfffe174, 0, 0x8, 0xd) = 0
> > time([964522756])                       = 964522756
> > getpid()                                = 7023
> > rt_sigaction(0xd, 0xbfffe164, 0xbfffe0d8, 0x8, 0xd) = 0
> > send(7, "<82>Jul 25 12:59:16 libsafe.so[7"..., 72, 0) = 72
> > rt_sigaction(0xd, 0xbfffe168, 0, 0x8, 0xd) = 0
> > time([964522756])                       = 964522756
> > getpid()                                = 7023
> > rt_sigaction(0xd, 0xbfffe158, 0xbfffe0cc, 0x8, 0xd) = 0
> > send(7, "<82>Jul 25 12:59:16 libsafe.so[7"..., 66, 0) = 66
> > rt_sigaction(0xd, 0xbfffe15c, 0, 0x8, 0xd) = 0
> > close(7)                                = 0
> > write(2, "Detected an attempt to write acr"..., 52) = 52
> > write(2, "Terminating /usr/local/sbin/snor"..., 35) = 35
> > _exit(1)                                = ?
> >
> >
> >
> > That's all .
> >
> >
> > naif
>
>
> MMS26