Re: Re: [Snort-users] Snort DoS Fallacies

[Martin Roesch <roesch () sourcefire com>]

I think your response can be safely classified as FUD as it is filled  
with inaccuracies and serves only to cast doubt on the code, the  
ability of the development team and (strangely) the quality of  
Sourcefire's products.  Let me just net it out:

Q1) This is a replay of the milw0rm TCP Option processing DoS.
A1) Wrong, this is a different issue

Q2) How did this make it back into the codebase?
A2) It didn't, your research was incorrect.

Q3) Does this problem affect Sourcefire as well?
A3) No, Sourcefire appliances are configured for robustness and  
performance, we don't use ASCII mode logging or alerting ever for any  
reason from the Snort engines on our products.

Q4) If the rest of the code doesn't have this vulnerability why were  
the additional NULL pointer checks added?
A4) Safe coding practices, Steve Sturges thought that it wouldn't be  
a bad idea to put those checks in there and I agreed.  I'm 100% sure  
they aren't vulnerable because I actually tested it.  Personally I  
don't like all those memcpy()'s in that function and when I (or  
someone here) get the time I'd like to go back and change how that  
function works.

Q5) Frag3 has the problem in the snapshot I downloaded, why won't you  
admit it?
A5) Because you're wrong.  The snapshot you're referring to has the  
fixes in PrintTcpOptions(), so even with the call to PrintIPPkt() in  
there the DoS doesn't work.  Version 2.4.0 did not have the code you  
are referring to.

This is the code checked out of cvs.snort.org from last night.

   3050 #ifdef DEBUG_FRAG3
   3051     /*
   3052      * Note, that this won't print out the IP Options or any  
other
   3053      * data that is established when the packet is decoded.
   3054      */
   3055     if (DEBUG_FRAG & GetDebugLevel())
   3056     {
   3057         ClearDumpBuf();
   3058         printf("++++++++++++++++++Frag3 DEFRAG'd PACKET++++++ 
++++++++\n");
   3059         PrintIPPkt(stdout, defrag_pkt->iph->ip_proto,  
defrag_pkt);
   3060         printf("++++++++++++++++++Frag3 DEFRAG'd PACKET++++++ 
++++++++\n");
   3061         ClearDumpBuf();
   3062     }
   3063 #endif
   3064     ProcessPacket(NULL, defrag_pkt->pkth, defrag_pkt->pkt, ft);
   3065
   3066     DEBUG_WRAP(DebugMessage(DEBUG_FRAG,
   3067                 "Done with rebuilt packet, marking rebuilt... 
\n"););
   3068
   3069     ft->frag_flags = ft->frag_flags | FRAG_REBUILT;
   3070 }
   3071

Here's the code from the 2.4.0 stable release tarball on snort.org:

   2595 #ifdef DEBUG_FRAG3
   2596     /*
   2597      * Note, that this won't print out the IP Options or any  
other
   2598      * data that is established when the packet is decoded.
   2599      */
   2600     if (DEBUG_FRAG & GetDebugLevel())
   2601     {
   2602         ClearDumpBuf();
   2603         printf("++++++++++++++++++Frag3 DEFRAG'd PACKET++++++ 
++++++++\n");
   2604         PrintIPPkt(stdout, defrag_pkt->iph->ip_proto,  
defrag_pkt);
   2605         printf("++++++++++++++++++Frag3 DEFRAG'd PACKET++++++ 
++++++++\n");
   2606         ClearDumpBuf();
   2607     }
   2608 #endif
   2609     ProcessPacket(NULL, defrag_pkt->pkth, defrag_pkt->pkt, ft);
   2610
   2611     DEBUG_WRAP(DebugMessage(DEBUG_FRAG,
   2612                 "Done with rebuilt packet, marking rebuilt... 
\n"););
   2613
   2614     ft->frag_flags = ft->frag_flags | FRAG_REBUILT;
   2615 }

Note that the code in question isn't in there in either version.  It  
looks to me like some debug code snuck into the snapshot, we'll have  
to update that.

Q6) Blackboxing/fuzzing "are of little value", why did you use that  
method?
A6) I tested every possible input to the system (a simple test since  
we're dealing only with  two 8-bit values in the test matrix) by  
modifying the PoC and generating all the potential value pairs.  This  
method clearly showed the DoS condition for option 5 with length 2  
and that it did not occur under any other input set.  I would  
consider this a valid test for the purposes of analyzing this code  
path and vulnerability.

Q7) "And your team, the vendor missed all of the above on your first  
*two* passes through, once in Dec 2004, and once in Aug/Sep 2005,  
does this mean what you've said and/or done is without merit as well?"
A7) You are incorrect, these were two different issues and you are  
confusing them.  The merits of our analysis is obvious because it is  
independently verifiable as being correct.

Q8) How can you say I was wrong about the "-A fast" switch when the  
DoS can effect fast output mode?
A8) Because your analysis was incorrect, the conditions under which  
the DoS could be manifested was different than your assertion.  There  
is a DoS condition for manually configured fast mode with a specific  
argument only.

Q9) Why did you keep the ASCII logging problem "quiet"?
A9) If you're running ASCII logging mode you are now subject to two  
DoS conditions, I don't consider the risk of one to be greater than  
the other because inode exhaustion can happen far before a disk is  
actually full.

Q10) I have no proof that other TCP options can't cause this  
condition, how can I trust your analysis?
A10) I actually setup an instrumented, repeatable test and proved  
it.  The test is easily recreated by grabbing the POC code from the  
net and applying the attached patch.

Q11) "Did you not at least get dejavu from 2004?"
A11) I did for about 2 seconds, but then I realized it was a  
different issue when I actually did some empirical testing and  
research/debugging.  If you had actually looked at the code and  
understood what you were looking at you would have seen that too.   
The issue from 2004 was an off-by-one error in an array index that  
could manifest if the TCP option decoder bailed out early.  This was  
a problem  with a NULL pointer dereference from a specific option  
setting as a side effect of the way the validation routine works.

Q12) "You do not find it odd at all, that you say 'no one should be  
doing xyz on production sensors anyways', and then you suggest that  
they run CVS code on production sensors?  Which one do you think will  
result in problems first?"
A12) Knowing the exact scope of the changes in the logging code, I  
think that patching in a new log.c file from CVS is a safe course of  
action, otherwise I wouldn't have recommended it.  It's not bad  
advice because people can trivially look at the diffs from CVS and  
see what changed.

Q13) Justin Ferguson made a patch against 2.3.3 that fixes this  
problem, should I use it?
A13) I would not under any circumstances move back to 2.3.3 or use a  
patch from an untrusted 3rd party in a production sensor, there were  
many bug fixes and new features incorporated in 2.4.0 and reverting  
to an old version is a step in the wrong direction.  It is far safer  
and advisable to use the log.c in CVS or wait for the 2.4.1 release  
if you're not running fast/full alerting or ASCII logging.

     -Marty

Attachment: tcpoptdos-mod.diff
Description:

--
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Discover.  Determine.  Defend.
roesch () sourcefire com - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org

Attachment: PGP.sig
Description: This is a digitally signed message part