Calyptix Security Advisory CX-2007-001
Date: 01/11/2007
http://www.calyptix.com/
http://labs.calyptix.com/advisories/CX-2007-01.txt

[ Overview ]

Snort 2.6.1.2 is vulnerable to an integer underflow that allows a
remote attacker to cause Snort to read beyond a specified length of
memory, potentially corrupting logfiles.

[ Risk ]

Calyptix Security has classified this vulnerability as 'Low Risk' as
the vulnerable code will not be compiled by default. Please see the
analysis section for more details.

[ Patch / Fix / Workaround ]

Sourcefire has released a fix for this vulnerability in Snort's current CVS
tree.

[ Analysis ]

Snort 2.6.1.2 has support for decoding the Generic Routing
Encapsulation (GRE) protocol. GRE is used to encapsulate arbitrary
protocols to a remote host. The vulnerability in Snort's parsing
engine is located in the function DecodeGRE() in decode.c

==BEGIN CODE==
...
(line 3459 decode.c)
void DecodeGRE(u_int8_t *pkt, const u_int32_t len, Packet *p)
{
    u_int8_t flags;
    u_int32_t hlen;    /* GRE header length */
    u_int32_t payload_len;
...
payload_len = len - hlen;  (calculation for payload_len is done here)
...
switch (ntohs(p->greh->ether_type))  (line 3597 decode.c)
    {
...
        default:      (line 3625 decode.c)
            pc.other++;
            p->data = pkt + hlen;
            p->dsize = (u_short)payload_len;  (truncates payload_len to 65XXX)
            return;
    }
...
==END CODE==

'payload_len', 'len' and 'hlen' are all 32-bit unsigned integer
types. A specially crafted GRE packet will trigger an integer
underflow, causing 'payload_len' to wrap around and become a very
large number. If the correct protocol field in the GRE header is
used, the attacker can reach line 3627 of decode.c, which assigns
'payload_len' as an unsigned short to p->dsize. This truncates
payload_len to around 65535. In order to exploit the vulnerability,
Snort must be compiled with '--enable-gre' and run with the '-d'
flag to dump the application layer content of each packet. Upon
receiving the malicious packet, Snort will read and log beyond the
packet's length in memory. This will leak other portions of memory
that may contain the contents of other packets, Snort rules, and
various Snort data structures.

[ Disclosure Timeline ]

01/06/2007 - Vulnerability Discovered
01/08/2007 - Sourcefire, Inc. Contacted
01/11/2007 - Sourcefire Released Fix in Snort CVS
01/11/2007 - Public Disclosure


[ Credit ]

Chris Rohlf of Calyptix Security discovered this vulnerability.


[ Contact ]

You can contact Calyptix Security about this vulnerability by e-mailing
 advisories2007@calyptix.com


[ About Calyptix Security ]

Calyptix Security, founded in 2002, is located in Charlotte, North
Carolina. Our Unified Threat Management (UTM) product, the
AccessEnforcer (TM), is used by customers to protect their network
infrastructure from security threats and is the only security
appliance in the market that deploys DyVax (TM), our patent-pending
signatureless inspection engine. The AccessEnforcer provides our
customers all available gateway security features, including VPN,
Firewall, IPS/IDS, Anti-Virus, E-Mail Filtering, Web Filtering, and
IM management, for a single price with no add-ons and no hidden
costs.


[ Legal Notice ]

Calyptix Security grants each recipient of this advisory permission
to redistribute this advisory in electronic or other written medium
without modification.  This advisory may not be modified without the
express written consent of Calyptix Security.  If the recipient
wishes to modify the advisory in any manner or redistribute the
contents of this advisory other than by way of an exact written or
electronic transmission hereof, please email
advisories2007@calyptix.com for such permission.

The information in this advisory is believe to be accurate at the
time of publication based upon currently available information. Use
of this information constitutes acceptance for use in an AS IS
condition.  There are no warranties with regard to any information
in this advisory.  None of the author, the publisher nor Calyptix
Security (nor any of their employees, affiliates or agents) accepts
or has any liability for any direct, indirect or consequential loss
or damage arising from the use of, or reliance on, any information
contained in this advisory.