Vulnerability Development mailing list archives
Re: snort crash ...
From: K2 <ktwo () KTWO CA>
Date: Sun, 30 Jul 2000 06:06:52 -0700
Hi, I'm here at defcon and I tracked down the snort author, and the defragmentation engine author.... here's some nfo's... The defragger has had a major patch on Jul 26 that fixed a stack corruption problem. The important thing to check on this crash is whether the defragmention preprocessor was enabled, (if so then likely this problem has been fixed, in the latest beta 14 of the defragger). If not there is a known issue with some icmp/igmp handling ... some of which has also been patched recently, by the snort author Marty Roesch. To check if the defragger is enabled you have to look for a line in the snort rules file that says "preprocessor defrag". If this is not the case, you should probably contact the snort defragger author at dr () dursec com becaquse it means this is a new unknown problem. PS. defcon is over tomarrow, give everybody a day or so to recover and then there should be some more definitive info for you all :) K2/dragos @defcon On Fri, 28 Jul 2000, MMS26 wrote:
On Tue, 25 Jul 2000, Fabio Pietrosanti wrote: yeh... it opens a raw socket, presumably for the igmp you logged below, but i have no idea why... i mailed marty roesch ( who is generally really good about responding to these types of issues ) for more details...Date: Tue, 25 Jul 2000 13:07:17 +0200 From: Fabio Pietrosanti <fabio () TELEMAIL IT> Reply-To: naif () inet it To: VULN-DEV () SECURITYFOCUS COM Subject: snort crash ... hi look here... Jul 25 12:59:16 naif libsafe.so[7023]: version 1.3 Jul 25 12:59:16 naif libsafe.so[7023]: detected an attempt to write across stack boundary. Jul 25 12:59:16 naif libsafe.so[7023]: terminating /usr/local/sbin/snort Jul 25 12:59:16 naif libsafe.so[7023]: overflow caused by memcpy() i try to find why it crash, and it appens when on my network transit igmp fragment like this 13:03:25.733060 127.0.0.1 > 151.20.148.103: igmp-2 [v0][|igmp] (frag 27565:410@0+) 13:03:25.733702 127.0.0.1 > 151.20.148.103: (frag 27565:410@8+) 13:03:25.745060 127.0.0.1 > 151.20.148.103: igmp-2 [v0][|igmp] (frag 27565:410@0+) 13:03:25.745389 127.0.0.1 > 151.20.148.103: (frag 27565:410@8+) 13:03:25.764985 127.0.0.1 > 151.20.148.103: igmp-2 [v0][|igmp] (frag 27565:410@0+) 13:03:25.765303 127.0.0.1 > 151.20.148.103: (frag 27565:410@8+) i start a strace on snort's pid and this is the output when it crash: recvfrom(3, "\377\377\377\377\377\377\0\20Z\372"..., 1564, 0, {sun_family=AF_UNIX, sun_path="eth0"}, [18]) = 243 ioctl(3, SIOCGSTAMP, 0xbffff8c0) = 0 write(1, "07/25-12:59:14.177329 194.185.73"..., 62) = 62 write(1, "UDP TTL:128 TOS:0x0 ID:60408 \n", 30) = 30 write(1, "Len: 209\n", 9) = 9 write(1, "=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+"..., 67) = 67 recvfrom(3, "\377\377\377\377\377\377\0`\10\304"..., 1564, 0, {sun_family=AF_UNIX, sun_path="eth0"}, [18]) = 249 ioctl(3, SIOCGSTAMP, 0xbffff8c0) = 0 write(1, "07/25-12:59:14.177794 194.185.73"..., 62) = 62 write(1, "UDP TTL:32 TOS:0x0 ID:58686 \n", 29) = 29 write(1, "Len: 215\n", 9) = 9 write(1, "=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+"..., 67) = 67 recvfrom(3, "\1\200\302\0\0\0\0P\275q\267\223"..., 1564, 0, {sun_family=AF_UNIX, sun_path="eth0"}, [18]) = 60 ioctl(3, SIOCGSTAMP, 0xbffff8c0) = 0 recvfrom(3, "\3\0\0\0\0\1\0\240$[\243\26\0\255"..., 1564, 0, {sun_family=AF_UNIX, sun_path="eth0"}, [18]) = 187 ioctl(3, SIOCGSTAMP, 0xbffff8c0) = 0 recvfrom(3, "\0\260\216n\3408\0P\332>t?\10\0E"..., 1564, 0, {sun_family=AF_UNIX, sun_path="eth0"}, [18]) = 444 ioctl(3, SIOCGSTAMP, 0xbffff8c0) = 0 write(1, "07/25-12:59:16.466164 127.0.0.1 "..., 50) = 50 write(1, "Proto: 2 TTL:255 TOS:0x0 ID:2756"..., 38) = 38 write(1, "Frag Offset: 0x0 Frag Size: 0x"..., 36) = 36 write(1, "=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+"..., 67) = 67 brk(0x8373000) = 0x8373000 readlink("/proc/self/exe", "/usr/local/sbin/snort", 4094) = 21 brk(0x8376000) = 0x8376000 time([964522756]) = 964522756 getpid() = 7023 rt_sigaction(0xd, 0xbfffe158, 0xbfffe0cc, 0x8, 0xd) = 0 socket(PF_UNIX, SOCK_DGRAM, 0) = 7 fcntl(7, F_SETFD, FD_CLOEXEC) = 0 connect(7, {sun_family=AF_UNIX, sun_path="/dev/log"}, 16) = -1 EPROTOTYPE (Protocol wrong type for socket) close(7) = 0 socket(PF_UNIX, SOCK_STREAM, 0) = 7 fcntl(7, F_SETFD, FD_CLOEXEC) = 0 connect(7, {sun_family=AF_UNIX, sun_path="/dev/log"}, 16) = 0 send(7, "<82>Jul 25 12:59:16 libsafe.so[7"..., 50, 0) = 50 rt_sigaction(0xd, 0xbfffe15c, 0, 0x8, 0xd) = 0 time([964522756]) = 964522756 getpid() = 7023 rt_sigaction(0xd, 0xbfffe170, 0xbfffe0e4, 0x8, 0xd) = 0 send(7, "<82>Jul 25 12:59:16 libsafe.so[7"..., 90, 0) = 90 rt_sigaction(0xd, 0xbfffe174, 0, 0x8, 0xd) = 0 time([964522756]) = 964522756 getpid() = 7023 rt_sigaction(0xd, 0xbfffe164, 0xbfffe0d8, 0x8, 0xd) = 0 send(7, "<82>Jul 25 12:59:16 libsafe.so[7"..., 72, 0) = 72 rt_sigaction(0xd, 0xbfffe168, 0, 0x8, 0xd) = 0 time([964522756]) = 964522756 getpid() = 7023 rt_sigaction(0xd, 0xbfffe158, 0xbfffe0cc, 0x8, 0xd) = 0 send(7, "<82>Jul 25 12:59:16 libsafe.so[7"..., 66, 0) = 66 rt_sigaction(0xd, 0xbfffe15c, 0, 0x8, 0xd) = 0 close(7) = 0 write(2, "Detected an attempt to write acr"..., 52) = 52 write(2, "Terminating /usr/local/sbin/snor"..., 35) = 35 _exit(1) = ? That's all . naifMMS26
Current thread:
- Re: snort crash ... K2 (Aug 01)
- Re: snort crash ... Fyodor (Aug 02)
- Re: snort crash ... MMS26 (Aug 02)
- Re: [Snort-users] Re: snort crash ... Fyodor (Aug 02)
- Re: [Snort-users] Re: snort crash ... MMS26 (Aug 02)
- Re: snort crash ... MMS26 (Aug 02)
- Re: snort crash ... Fyodor (Aug 02)