OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Fooling NIDS
From: Crist Clark (crist.clarkGLOBALSTAR.COM)
Date: Tue Dec 05 2000 - 18:37:03 CST

Martin Roesch wrote:

[snip]

> Anyway, this is an interesting case. Without seeing a core dump it looks like
> you've got straight TCP traffic here crashing Snort.

There was a core dump in the first mail I sent. ;)

> Judging by the line you
> say its crashing on, probably one of the packet pointers is nulled out and
> it's failing on the dereference. If this is just plain Snort 1.6.3, you
> should probably try out version 1.6.3-patch2 which is available on the
> downloads page of www.snort.org or (more easily)
> http://snort.sourceforge.net.
>
> If you want to patch your existing code, you can add this check right before
> the if statement you site in sp_tcp_seq_check.c:
>
> if((p == NULL) || (p->tcph == NULL))
> {
> return 0;
> }
>
> Version 1.6.3 had a problem where you could get packets with NULL pointers
> into the detection engine where they would potentially be dereferenced by any
> of the plugins, which generally expect the packet pointers to be good when
> they run.
>
> Thanks for the bug report, sorry for the delay in responding!

Yep. That code should catch it. I loaded up that core file in the debugger,

  open# gdb /usr/local/bin/snort
  GNU gdb 4.16.1
  Copyright 1996 Free Software Foundation, Inc.
  GDB is free software, covered by the GNU General Public License, and you are
  welcome to change it and/or distribute copies of it under certain conditions.
  Type "show copying" to see the conditions.
  There is absolutely no warranty for GDB. Type "show warranty" for details.
  This GDB was configured as "i386-unknown-openbsd2.7"...
  (gdb) core snort1.core
  Core was generated by `snort'.
  Program terminated with signal 11, Segmentation fault.
  Reading symbols from /usr/libexec/ld.so...done.
  Reading symbols from /usr/lib/libpcap.so.1.1...done.
  Reading symbols from /usr/lib/libc.so.25.0...done.
  #0 0xe957 in CheckTcpSeqEq (p=0xdfbfd3ec, otn=0x92000, fp_list=0x89cc0)
      at sp_tcp_seq_check.c:138
  138 if (((TcpSeqCheckData *)otn->ds_list[PLUGIN_TCP_ACK_CHECK])->tcp_seq == ntohl(p->tcph->th_seq))
  (gdb) p p
  $1 = (Packet *) 0xdfbfd3ec
  (gdb) p p->tcph
  $2 = (TCPHdr *) 0x0
  (gdb)

There's the NULL pointer.

I'll update my Snort and fire the full IDSwakeup against it while running
on the arachNIDS ruleset[0], but this should get this issue.

[0] I'll try to do it tonight, but you know, the last segment of the Dune
series is on Sci-Fi. Like I don't know how it ends[1]. ;) However, missing
it is grounds for getting stripped of a number of geek certifications and
would make it difficult to follow all of the bashing on USENET and the web.

[1] But if it rains at the end like in certain other filmed version, there
will be hell to pay. 

--
Crist J. Clark                                Network Security Engineer
crist.clarkglobalstar.com                    Globalstar, L.P.
(408) 933-4387                                FAX: (408) 933-4926

The information contained in this e-mail message is confidential,
intended only for the use of the individual or entity named above.  If
the reader of this e-mail is not the intended recipient, or the employee
or agent responsible to deliver it to the intended recipient, you are
hereby notified that any review, dissemination, distribution or copying
of this communication is strictly prohibited.  If you have received this
e-mail in error, please contact postmasterglobalstar.com