Skip to content

Latest commit

 

History

History
80 lines (56 loc) · 1.71 KB

README.md

File metadata and controls

80 lines (56 loc) · 1.71 KB

CVE/EDB ID

Experiment Environment

CentOS 6.5

INSTALL & Configuration

wget https://github.com/mudongliang/source-packages/raw/master/CVE-2005-3252/snort-2.4.2.tar.gz
tar -xvf snort-2.4.2.tar.gz
cd snort-2.4.2
./configure
make
sudo make install

Problems in Installation & Configuration

How to trigger vulnerability

gcc -o exploit 1272.c
./exploit 127.0.0.1 2

PoCs

Snort 2.4.2 - Back Orifice Pre-Preprocessor Remote (3)

Snort 2.4.2 - Back Orifice Parsing Remote Buffer Overflow

Snort Back Orifice Preprocessor Remote Stack Buffer Overflow Vulnerability

Vulnerability Details & Patch

Root Cause

The bug is in spp_bo:BoGetDirection(). This is the vulnerable code:

static int BoGetDirection(Packet *p, char *pkt_data)
{
    u_int32_t len = 0;
    u_int32_t id = 0;
    u_int32_t l, i;
    char type;
    char buf1[1024];

    ...

    /* Only examine data if this a ping request or response */
    if ( type == BO_TYPE_PING )
    {
        i = 0;
        buf_ptr = buf1;
        *buf1 = 0;
        *buf2 = 0;
        /* Decrypt data */
        while ( i < len )
        {
            plaintext = (char) (*pkt_data ^ (BoRand()%256));
            *buf_ptr = plaintext;
            i++;
            pkt_data++;
            buf_ptr++;

            ...

As described in the PoC, len is taken from the BO packet header so it is a buffer overflow when len > buf1 size.

Stack Trace

Patch

References

CVE-2005-3252 - Snort 2.4.0-2 remote code execution