Bug 64545 (CVE-2004-2652)

<!-- SBZ_reproduce  -->
http://www.k-otik.com/exploits/20041222.angelDust.c.php

swamp id: 90 
 

Will be handled by Klaus at 10th of Jan.. 

I digged a bit deeper into this issue. 
 
This seems to be the root of all DOS reports: 
http://isc.sans.org/diary.php?date=2004-12-22 
 
Only if running in a special mode (= sniffer mode, or -v[erbose]), or FAST 
mode people are affected by this DoS. 
 
But just running in FAST mode and enabling snortdb, or running the even faster 
mode "barnyard" is enough not to be affected. So in most cases noone is 
harmed. ==> Adapting severity to minor. 
 
The problem is known and the patch was released 2004-10-04, but no special 
patch exists at the snort website. The Snort Team recommends to upgrade to 
latest version, which is a Release Candidate (2.3.0 RC2). 
 
As now a script exists for the kiddies, which hardens the conditions, I don't 
know what to do. 
- Should I reverse engineer the patch (amount of work time is unknown)? 
- Should I build snort-2.3.0RC2 for all old SUSE LINUX version? 
- Should I wait for snort-2.3.0 final? 
==> Input needed from security-team reassigning it. 
 
BTW: I didn't find any CAN number yet. 

We should wait for the final version. 
 
Did we do version upgrades in the past? 
 
BTW, there is no CAN for snort in the Mitre database for year > 2003. 
 
 

We didn't do many version upgrades for snort in the past. 
 
I can only remember of one upgrade, but can't remember when and for which 
distri this happened. 

If you think extracting the patch is too much work, I would suggest a 
stable-only fix then. 
 
 
 

Any news for us? :) 
 

OOops. Forget that one. 
 
Nevertheless, a new version was released, as expected: 2.3.0 
 
Hopefully I can built and adapt it for old SuLi within this week. 
 
Thanks for reminding me. 

new swampid: 489 

Klaus,
have you been successful?

delayed for 9.3

Where is a 8.1-i386 for testing? 

8.1 died in the meantime... I think we can ignore it.

Ok. Then I need a SLES8 (which is in gerneral equal to the 8.1 :) 

At least the QA team should have one.

I made now an update with a large patch for the old (free) ruleset: An  
adaption of the 2.3.0 ruleset (Feb) to current snort version 2.3.2  
  
new packages are submitted for: SLES8 (and derivats, like UL, SLEC), 8.2, 9.0,  
9.1 (and derivates like JDS, SLD, NLD, SLES9), 9.2, 9.3 
  
I think that this update is working, but Testing Team: please test a lot. :-) 
  
Security Team: reassigning this bug to handle rest of update process. 
 
Note: the question regarding the rulesets for upcoming versions is still 
undecided. For now I took an old rulesets (from Feb) only, I didn't wrote new 
rulesets to detect intrusion via latest security issues. 

/work/src/done/PATCHINFO/snort.patch.maintained
/work/src/done/PATCHINFO/snort.patch.box

The update has been tested by QA for SLES8 and SLES9.
It is broken in multiple places. I see at least 3 problems:

snort wrong symlink to start script (SLES8)
-------------------------------------------
cancer:/var/log/snort/10.10.2.8 # rcsnort restart
-bash: /sbin/rcsnort: No such file or directory

cancer:/var/log/snort/10.10.2.8 # ll /usr/sbin/rcsnort
lrwxrwxrwx    1 root     root           23 Apr 26 15:08 /usr/sbin/rcsnort ->
../..//etc/init.d/snort


snort restart failes (SLES8)
----------------------------
how to reproduce
do a fresh install of snort (GA)
change /etc/sysconfig to reflect this changes:

SNORT_INTERFACE="eth0"
SNORT_ACTIVATE="yes"
SNORT_AUTO="yes"
SNORT_PROMISC="yes"
SNORT_USER="snort"
SNORT_GROUP="snort"
SNORT_EXTRA_OPTIONS="-v"

update snort using patch-10033

this is what happens:

cancer:/var/log/snort/10.10.2.8 # /etc/init.d/snort restart
Shutting down snort                                                            
          done
Starting snort                                                                 
          failed

from /var/log/messages:

Apr 26 15:09:27 cancer snort: Initializing daemon mode
Apr 26 15:09:27 cancer snort: PID path stat checked out ok, PID path set to
/var/run/
Apr 26 15:09:27 cancer snort: Writing PID "7923" to file "/var/run//snort_eth0.pid" 
Apr 26 15:09:27 cancer snort: Parsing Rules file /etc/snort/snort.conf 
Apr 26 15:09:27 cancer snort: FATAL ERROR:  unknown preprocessor "http_decode"
Apr 26 15:09:27 cancer kernel: device eth0 left promiscuous mode 


snort restart failes (SLES9)
----------------------------
how to reproduce
do a fresh install of snort (GA)
change /etc/sysconfig to reflect this changes:

SNORT_INTERFACE="eth0"
SNORT_ACTIVATE="yes"
SNORT_AUTO="yes"
SNORT_PROMISC="yes"
SNORT_USER="snort"
SNORT_GROUP="snort"
SNORT_EXTRA_OPTIONS="-v"

update snort using patch-10033

this is what happens:

gemini:~ # rcsnort restart
Shutting down snort                                                            
          done
Starting snort                                                                 
          done

gemini:~ # rcsnort status
                                                                               
          unused
from /var/log/messages:

Apr 26 15:21:48 gemini snort: FATAL ERROR: Unable to open rules file:
/etc/snort/local.rules or /etc/snort//etc/snort/local.rules

ok, trying to give /etc/snort/local.rules and starting things over:

gemini:~ # touch /etc/snort/local.rules
gemini:~ # rcsnort restart
Shutting down snort                                                            
          done
Starting snort                                                                 
          done

gemini:~ # rcsnort status
                                                                               
          unused

from /var/log/messages:

Apr 26 15:24:33 gemini snort: FATAL ERROR: Unable to open rules file:
/etc/snort/bad-traffic.rules or
 /etc/snort//etc/snort/bad-traffic.rules

snort wrong symlink to start script (SLES8):  
--------------------------------------------  
Please check this again.  
In my specfile is a "ln -s ../../%{_sysconfdir}/init.d/snort rcsnort", which  
contradicts your examination.  
  
snort wrong symlink to start script (SLES8): 
-------------------------------------------- 
We must use /etc/snort/snort.conf.rpmnew to get "var 
RULE_PATH /etc/snort/rules" and are not allowed to use /etc/snort/snort.conf. 
Don't know how to solve this?! Help appreciate. 
 
==> no problems which I can fix. 
  
Will work on SLES9 issues... 

SLES9: 
------ 
same problem here. 
 
We must use /etc/snort/snort.conf.rpmnew to get "var  
RULE_PATH /etc/snort/rules" and are not allowed to use /etc/snort/snort.conf. 

mls: say something regarding rpmnew. :-) 

mls: thanks. 
new packages submitted. next try. :-) 

To: security-intern@suse.de
From: patch_system@suse.de
Date: Tue,  3 May 2005 16:31:27 +0200 (CEST)
Subject: [sec-int] [putonftp] secfix snort-2.3.2-7.i586.rpm
Reply-To: security-intern@suse.de
Errors-To: security-intern-bounces+thomas=suse.de@suse.de

Script 'mail_hack' called by root
package:snort-2.3.2-7.i586.rpm
comment:This update includes a fix for a denial-of-service attack which can
be triggered by an attacker by sending a malformated packet.
comment_de:Dieses Update behebt eine \374ber das Netzwerk ausl\366sbare
Denial-Of-Service Attacke.
md5sum:47df81df480fff693f912a5dad968cb5
url:ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/snort-2.3.2-7.i586.rpm

CVE-2004-2652

The DecodeTCPOptions function in decode.c in Snort before 2.3.0, when printing TCP/IP options using FAST output or verbose mode, allows remote attackers to cause a denial of service (crash) via packets with invalid TCP/IP options, which trigger a null dereference.

CVE-2004-2652: CVSS v2 Base Score: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)