Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: snort crash ...

From: MMS26 <mms () SPEAKEASY ORG>
Date: Fri, 28 Jul 2000 08:13:36 -0700
On Tue, 25 Jul 2000, Fabio Pietrosanti wrote:

yeh... it opens a raw socket, presumably for the igmp you logged below,
but i have no idea why... i mailed marty roesch ( who is generally really
good about responding to these types of issues ) for more details...


Date: Tue, 25 Jul 2000 13:07:17 +0200
From: Fabio Pietrosanti <fabio () TELEMAIL IT>
Reply-To: naif () inet it
To: VULN-DEV () SECURITYFOCUS COM
Subject: snort crash ...

hi look here...

Jul 25 12:59:16 naif libsafe.so[7023]: version 1.3
Jul 25 12:59:16 naif libsafe.so[7023]: detected an attempt to write across
stack boundary.
Jul 25 12:59:16 naif libsafe.so[7023]: terminating /usr/local/sbin/snort
Jul 25 12:59:16 naif libsafe.so[7023]: overflow caused by memcpy()


i try to find why it crash, and it appens when on my network transit igmp
fragment like this
13:03:25.733060 127.0.0.1 > 151.20.148.103: igmp-2 [v0][|igmp] (frag
27565:410@0+)
13:03:25.733702 127.0.0.1 > 151.20.148.103: (frag 27565:410@8+)
13:03:25.745060 127.0.0.1 > 151.20.148.103: igmp-2 [v0][|igmp] (frag
27565:410@0+)
13:03:25.745389 127.0.0.1 > 151.20.148.103: (frag 27565:410@8+)
13:03:25.764985 127.0.0.1 > 151.20.148.103: igmp-2 [v0][|igmp] (frag
27565:410@0+)
13:03:25.765303 127.0.0.1 > 151.20.148.103: (frag 27565:410@8+)


i start a strace on snort's pid and this is the output when it crash:
recvfrom(3, "\377\377\377\377\377\377\0\20Z\372"..., 1564, 0,
{sun_family=AF_UNIX, sun_path="eth0"}, [18]) = 243
ioctl(3, SIOCGSTAMP, 0xbffff8c0)        = 0
write(1, "07/25-12:59:14.177329 194.185.73"..., 62) = 62
write(1, "UDP TTL:128 TOS:0x0 ID:60408 \n", 30) = 30
write(1, "Len: 209\n", 9)               = 9
write(1, "=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+"..., 67) = 67
recvfrom(3, "\377\377\377\377\377\377\0`\10\304"..., 1564, 0,
{sun_family=AF_UNIX, sun_path="eth0"}, [18]) = 249
ioctl(3, SIOCGSTAMP, 0xbffff8c0)        = 0
write(1, "07/25-12:59:14.177794 194.185.73"..., 62) = 62
write(1, "UDP TTL:32 TOS:0x0 ID:58686 \n", 29) = 29
write(1, "Len: 215\n", 9)               = 9
write(1, "=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+"..., 67) = 67
recvfrom(3, "\1\200\302\0\0\0\0P\275q\267\223"..., 1564, 0,
{sun_family=AF_UNIX, sun_path="eth0"}, [18]) = 60
ioctl(3, SIOCGSTAMP, 0xbffff8c0)        = 0
recvfrom(3, "\3\0\0\0\0\1\0\240$[\243\26\0\255"..., 1564, 0,
{sun_family=AF_UNIX, sun_path="eth0"}, [18]) = 187
ioctl(3, SIOCGSTAMP, 0xbffff8c0)        = 0
recvfrom(3, "\0\260\216n\3408\0P\332>t?\10\0E"..., 1564, 0,
{sun_family=AF_UNIX, sun_path="eth0"}, [18]) = 444
ioctl(3, SIOCGSTAMP, 0xbffff8c0)        = 0
write(1, "07/25-12:59:16.466164 127.0.0.1 "..., 50) = 50
write(1, "Proto: 2 TTL:255 TOS:0x0 ID:2756"..., 38) = 38
write(1, "Frag Offset: 0x0   Frag Size: 0x"..., 36) = 36
write(1, "=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+"..., 67) = 67
brk(0x8373000)                          = 0x8373000
readlink("/proc/self/exe", "/usr/local/sbin/snort", 4094) = 21
brk(0x8376000)                          = 0x8376000
time([964522756])                       = 964522756
getpid()                                = 7023
rt_sigaction(0xd, 0xbfffe158, 0xbfffe0cc, 0x8, 0xd) = 0
socket(PF_UNIX, SOCK_DGRAM, 0)          = 7
fcntl(7, F_SETFD, FD_CLOEXEC)           = 0
connect(7, {sun_family=AF_UNIX, sun_path="/dev/log"}, 16) = -1 EPROTOTYPE
(Protocol wrong type for socket)
close(7)                                = 0
socket(PF_UNIX, SOCK_STREAM, 0)         = 7
fcntl(7, F_SETFD, FD_CLOEXEC)           = 0
connect(7, {sun_family=AF_UNIX, sun_path="/dev/log"}, 16) = 0
send(7, "<82>Jul 25 12:59:16 libsafe.so[7"..., 50, 0) = 50
rt_sigaction(0xd, 0xbfffe15c, 0, 0x8, 0xd) = 0
time([964522756])                       = 964522756
getpid()                                = 7023
rt_sigaction(0xd, 0xbfffe170, 0xbfffe0e4, 0x8, 0xd) = 0
send(7, "<82>Jul 25 12:59:16 libsafe.so[7"..., 90, 0) = 90
rt_sigaction(0xd, 0xbfffe174, 0, 0x8, 0xd) = 0
time([964522756])                       = 964522756
getpid()                                = 7023
rt_sigaction(0xd, 0xbfffe164, 0xbfffe0d8, 0x8, 0xd) = 0
send(7, "<82>Jul 25 12:59:16 libsafe.so[7"..., 72, 0) = 72
rt_sigaction(0xd, 0xbfffe168, 0, 0x8, 0xd) = 0
time([964522756])                       = 964522756
getpid()                                = 7023
rt_sigaction(0xd, 0xbfffe158, 0xbfffe0cc, 0x8, 0xd) = 0
send(7, "<82>Jul 25 12:59:16 libsafe.so[7"..., 66, 0) = 66
rt_sigaction(0xd, 0xbfffe15c, 0, 0x8, 0xd) = 0
close(7)                                = 0
write(2, "Detected an attempt to write acr"..., 52) = 52
write(2, "Terminating /usr/local/sbin/snor"..., 35) = 35
_exit(1)                                = ?



That's all .


naif




MMS26
Previous By Date Next
Previous By Thread Next

Current thread: