Vulnerability Development mailing list archives
Re: snort crash ...
From: MMS26 <mms () SPEAKEASY ORG>
Date: Fri, 28 Jul 2000 08:13:36 -0700
On Tue, 25 Jul 2000, Fabio Pietrosanti wrote: yeh... it opens a raw socket, presumably for the igmp you logged below, but i have no idea why... i mailed marty roesch ( who is generally really good about responding to these types of issues ) for more details...
Date: Tue, 25 Jul 2000 13:07:17 +0200 From: Fabio Pietrosanti <fabio () TELEMAIL IT> Reply-To: naif () inet it To: VULN-DEV () SECURITYFOCUS COM Subject: snort crash ... hi look here... Jul 25 12:59:16 naif libsafe.so[7023]: version 1.3 Jul 25 12:59:16 naif libsafe.so[7023]: detected an attempt to write across stack boundary. Jul 25 12:59:16 naif libsafe.so[7023]: terminating /usr/local/sbin/snort Jul 25 12:59:16 naif libsafe.so[7023]: overflow caused by memcpy() i try to find why it crash, and it appens when on my network transit igmp fragment like this 13:03:25.733060 127.0.0.1 > 151.20.148.103: igmp-2 [v0][|igmp] (frag 27565:410@0+) 13:03:25.733702 127.0.0.1 > 151.20.148.103: (frag 27565:410@8+) 13:03:25.745060 127.0.0.1 > 151.20.148.103: igmp-2 [v0][|igmp] (frag 27565:410@0+) 13:03:25.745389 127.0.0.1 > 151.20.148.103: (frag 27565:410@8+) 13:03:25.764985 127.0.0.1 > 151.20.148.103: igmp-2 [v0][|igmp] (frag 27565:410@0+) 13:03:25.765303 127.0.0.1 > 151.20.148.103: (frag 27565:410@8+) i start a strace on snort's pid and this is the output when it crash: recvfrom(3, "\377\377\377\377\377\377\0\20Z\372"..., 1564, 0, {sun_family=AF_UNIX, sun_path="eth0"}, [18]) = 243 ioctl(3, SIOCGSTAMP, 0xbffff8c0) = 0 write(1, "07/25-12:59:14.177329 194.185.73"..., 62) = 62 write(1, "UDP TTL:128 TOS:0x0 ID:60408 \n", 30) = 30 write(1, "Len: 209\n", 9) = 9 write(1, "=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+"..., 67) = 67 recvfrom(3, "\377\377\377\377\377\377\0`\10\304"..., 1564, 0, {sun_family=AF_UNIX, sun_path="eth0"}, [18]) = 249 ioctl(3, SIOCGSTAMP, 0xbffff8c0) = 0 write(1, "07/25-12:59:14.177794 194.185.73"..., 62) = 62 write(1, "UDP TTL:32 TOS:0x0 ID:58686 \n", 29) = 29 write(1, "Len: 215\n", 9) = 9 write(1, "=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+"..., 67) = 67 recvfrom(3, "\1\200\302\0\0\0\0P\275q\267\223"..., 1564, 0, {sun_family=AF_UNIX, sun_path="eth0"}, [18]) = 60 ioctl(3, SIOCGSTAMP, 0xbffff8c0) = 0 recvfrom(3, "\3\0\0\0\0\1\0\240$[\243\26\0\255"..., 1564, 0, {sun_family=AF_UNIX, sun_path="eth0"}, [18]) = 187 ioctl(3, SIOCGSTAMP, 0xbffff8c0) = 0 recvfrom(3, "\0\260\216n\3408\0P\332>t?\10\0E"..., 1564, 0, {sun_family=AF_UNIX, sun_path="eth0"}, [18]) = 444 ioctl(3, SIOCGSTAMP, 0xbffff8c0) = 0 write(1, "07/25-12:59:16.466164 127.0.0.1 "..., 50) = 50 write(1, "Proto: 2 TTL:255 TOS:0x0 ID:2756"..., 38) = 38 write(1, "Frag Offset: 0x0 Frag Size: 0x"..., 36) = 36 write(1, "=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+"..., 67) = 67 brk(0x8373000) = 0x8373000 readlink("/proc/self/exe", "/usr/local/sbin/snort", 4094) = 21 brk(0x8376000) = 0x8376000 time([964522756]) = 964522756 getpid() = 7023 rt_sigaction(0xd, 0xbfffe158, 0xbfffe0cc, 0x8, 0xd) = 0 socket(PF_UNIX, SOCK_DGRAM, 0) = 7 fcntl(7, F_SETFD, FD_CLOEXEC) = 0 connect(7, {sun_family=AF_UNIX, sun_path="/dev/log"}, 16) = -1 EPROTOTYPE (Protocol wrong type for socket) close(7) = 0 socket(PF_UNIX, SOCK_STREAM, 0) = 7 fcntl(7, F_SETFD, FD_CLOEXEC) = 0 connect(7, {sun_family=AF_UNIX, sun_path="/dev/log"}, 16) = 0 send(7, "<82>Jul 25 12:59:16 libsafe.so[7"..., 50, 0) = 50 rt_sigaction(0xd, 0xbfffe15c, 0, 0x8, 0xd) = 0 time([964522756]) = 964522756 getpid() = 7023 rt_sigaction(0xd, 0xbfffe170, 0xbfffe0e4, 0x8, 0xd) = 0 send(7, "<82>Jul 25 12:59:16 libsafe.so[7"..., 90, 0) = 90 rt_sigaction(0xd, 0xbfffe174, 0, 0x8, 0xd) = 0 time([964522756]) = 964522756 getpid() = 7023 rt_sigaction(0xd, 0xbfffe164, 0xbfffe0d8, 0x8, 0xd) = 0 send(7, "<82>Jul 25 12:59:16 libsafe.so[7"..., 72, 0) = 72 rt_sigaction(0xd, 0xbfffe168, 0, 0x8, 0xd) = 0 time([964522756]) = 964522756 getpid() = 7023 rt_sigaction(0xd, 0xbfffe158, 0xbfffe0cc, 0x8, 0xd) = 0 send(7, "<82>Jul 25 12:59:16 libsafe.so[7"..., 66, 0) = 66 rt_sigaction(0xd, 0xbfffe15c, 0, 0x8, 0xd) = 0 close(7) = 0 write(2, "Detected an attempt to write acr"..., 52) = 52 write(2, "Terminating /usr/local/sbin/snor"..., 35) = 35 _exit(1) = ? That's all . naif
MMS26
Current thread:
- snort crash ... Fabio Pietrosanti (Jul 27)
- Re: snort crash ... MMS26 (Jul 28)