Re: Possible FP 17390

[Joel Esler <jesler () sourcefire com>]

Rmkml,

Actually none of the above.

The vulnerability has to do with two particular ResourceID's that could be present in an APP13 section of a jpeg.  This 
will cause ClamAV 94.2 and prior to go into infinite recursion when trying to process a jpeg thumbnail.  Eventually 
clamd will shutdown, thusly, a DoS.

James --

After looking at the pcap you sent me offlist, the pcap DOES contain a vulnerable jpeg that would DoS an older version 
of ClamAV.  (read:  This isn't a false positive)  

If you don't have ClamAV on the network (or it's >94.2) you can shut the rule off.  Otherwise... :)

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire


 
On Sep 20, 2011, at 5:02 PM, rmkml wrote:

> Thx you James and Joel,
> Exploit here:
> http://downloads.securityfocus.com/vulnerabilities/exploits/32555.c
> Im curious if this exploit DoS because:
> -jpeg loop? (iter 200000)
> -marker APP13 (\xffed) section size too short? (\x0002)
> -photoshopthumbnail tag size too big? \x01010101)
> -or combinations?
> Regards
> Rmkml
>
>
> On Tue, 20 Sep 2011, Joel Esler wrote:
>
> > James, can you send it to me in just pcap form?  I just want to make sure that any false positives are eliminated.
> > I had a hunch it was 2.9.1, do you have PAF enabled in your config?
> > Joel
> >
> > On Sep 20, 2011, at 4:07 PM, Lay, James wrote:
> >
> > > > -----Original Message-----
> > > > From: Joel Esler [mailto:jesler () sourcefire com]
> > > > Sent: Tuesday, September 20, 2011 12:39 PM
> > > > To: Lay, James
> > > > Cc: snort-sigs () lists sourceforge net
> > > > Subject: [Spam] Re: [Snort-sigs] Possible FP 17390
> > > > Importance: Low
> > > >
> > > > James,
> > > >
> > > > After looking at this, I have a couple questions:
> > > >
> > > > #1 -- What version of Snort are you using?
> > > > #2 -- The vulnerability condition is not in this packet.  What are you using
> > > > to log?  You may see the actual logged vulnerability condition in an
> > > > additional packet later, in perhaps a "tagged" packet (depending on what
> > > > interface you are using).  But I can't see the vulnerability condition on
> > > > the paste you included below.
> > > > #3 -- We actually used a jpg to replicate this condition in ClamAV.
> > > >
> > > > So, a couple points.  First, if you can get full packet capture of the
> > > > vulnerability condition and surrounding packets, that'd be great.
> > > > Because I can't see the vuln here.  Second, if you aren't running ClamAV,
> > > > I suggest you shut this rule off anyway.
> > > >
> > > > --
> > > > Joel Esler
> > > > Senior Research Engineer, VRT
> > > > OpenSource Community Manager
> > > > Sourcefire
> > >
> > > Hey Joel,
> > >
> > > This is snort 2.9.1 using 2.9.1 VRT rules.  The packet cap is via
> > > sguil/barnyard2/squert...I don't think it's logging everything, but I
> > > got the pcap out of the unified2 file and here's the only other packet,
> > > but I can see where it hit now.  Think I'll kill this rule...thanks
> > > Joel.
> > >
> > > James
> > >
> > > 00000578  58 59 5a 20 00 00 00 00  00 00 9c 18 00 00 4f a5 XYZ ....
> > > 00000588  00 00 04 fc 58 59 5a 20  00 00 00 00 00 00 34 8d ....XYZ
> > > 00000598  00 00 a0 2c 00 00 0f 95  58 59 5a 20 00 00 00 00 ...,.... XYZ
> > > 000005A8  00 00 26 31 00 00 10 2f  00 00 be 9c ff ed 5b da ..&1.../
> > > 000005B8  50 68 6f 74 6f 73 68 6f  70 20 33 2e 30 00 38 42 Photoshop 3.0.8B
> > > 000005C8  49 4d 04 0c 00 00 00 00  5b a2 00 00 00 01 00 00 IM......
> > > 000005D8  01 00 00 00 00 aa 00 00  03 00 00 01 fe 00 00 00 ........
> > > 000005E8  5b 86 00 18 00 01 ff d8  ff ee 00 0e 41 64 6f 62 [.......
> > > 000005F8  65 00 64 00 00 00 00 01  ff db 00 84 00 06 04 04 e.d.....
> > > 00000608  04 05 04 06 05 05 06 09  06 05 06 09 0b 08 06 06 ........
> ...


------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2dcopy1
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!