TUCoPS :: Unix :: General
:: unix4993.htm
Snort IDS is succeptible to DoS (maybe exploitable remote buffer overflow)
11th Jan 2002 [SBWID-4993]
COMMAND
Snort IDS is succeptible to DoS (maybe exploitable remote buffer
overflow)
SYSTEMS AFFECTED
Snort 1.8.3 and probably earlier
PROBLEM
Per \"Sinbad\" report, snort ICMP parser is doomed ...
Example :
# snort -dev host 192.168.0.3 and 192.168.0.1
Ping 192.168.0.1 from 192.168.0.3 within one data in payload:
# ping -c 1 -s 1 192.168.0.1
Snort\'s output showed below:
-*> Snort! <*-
Version 1.8.3 (Build 88)
By Martin Roesch (roesch@sourcefire.com, www.snort.org)
01/10-11:34:43.898282 0:80:AD:78:83:BB -> 0:E0:18:C4:52:76 type:0x800 len:0x2B
192.168.0.3 -> 192.168.0.1 ICMP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:29 DF
Type:8 Code:0 ID:9435 Seq:0 ECHO
Segmentation fault (core dumped)
SOLUTION
Following patch has been committed to the Snort 1.8 branch of Snort CVS
and is included in build 90.
--- olddecode.h Thu Jan 10 15:47:48 2002
+++ decode.h Thu Jan 10 12:15:33 2002
@@ -105,7 +105,7 @@
#define IP_HEADER_LEN 20
#define TCP_HEADER_LEN 20
#define UDP_HEADER_LEN 8
-#define ICMP_HEADER_LEN 8
+#define ICMP_HEADER_LEN 4
#define TH_FIN 0x01
#define TH_SYN 0x02