lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Sat, 15 Nov 2003 15:44:35 -0800 (PST)
From: "snosoft@...lip.com" <snosoft@...lip.com>
To: full-disclosure@...ts.netsys.com
Cc: bugtraq@...urityfocus.com, vulndev@...urityfocus.com,
   vulnwatch@...nwatch.org
Subject: Senseless Buffer Overflow in SNOSOFT.COM IDS Suite


Secure Network Operations, Inc.             http://www.secnetops.com/research
Strategic Reconnaissance Team               research@...netops.com
Team Lead Contact                           kf@...netops.com


Our Mission:
************************************************************************
Secure Network Operations offers expertise in Networking, Intrusion 
Detection Systems (IDS), Software Security Validation, and 
Corporate/Private Network Security. Our mission is to facilitate a 
secure and reliable Internet and inter-enterprise communications 
infrastructure through the products and services we offer. 

Amongst which the expertise of 15 year old efnet hackers who are
allowed to operate under the guise of a single person's clearance
level. We encourage our staff's vivid imaginations and we feel that
playing spook is very much a teambuilding endeavour, not much
unlike corporate paintball. 

To learn more about our company, products and services or to request
a demo of ANVIL FCS please visit our site athttp://www.secnetops.com, 
or call us at: 978-263-3829


Quick Summary:
************************************************************************
Advisory Number         : SRT2003-11-14-0911
Product                 : Snosoft Anvil IDS Suite
Version                 : All of 'em.
Vendor                  : http://twdx.secnetops.com/service
Class                   : Local
Criticality             : High (to our one customer)
Operating System(s)     : FreeBSD 


Notice
************************************************************************
The full technical details of this vulnerability can be found at:
http://www.secnetops.com under the research section. 


Basic Explanation
************************************************************************
High Level Description  : Our best of security professionals understand
                          that strncpy is a safe function, so using it
			  for our primary input assures that we are
			  secure throughout the rest of our code.
What to do              : To adequately protect yourself from threats,
			  we recommend that our one customer terminate
			  their contract with us and use Mike Schiffman
			  as their sole security provider.


Basic Technical Details
************************************************************************
Proof Of Concept Status : SNO has no concept. 

Low Level Description  : ANVIL is an overpriced IDS suite, that is
for all practical purposes nothing more than Snort repackaged on a
FreeBSD livecd, that logs to a mysql database using stunnel for 
added security.

Essentially the only piece of unique code in this IDS suite, written
by the Snosoft Secure Network Something Team, is called ip-to-hex.c.
Since the program is short, we will include the entire GPL'd source
code in our advisory so that the world can understand how gifted we
are as both programmers and security experts.

We at SNO (Secure Network Operations) understand that every
programmer has two modes. Secure mode and insecure mode. And 
allthough our teenybopper staff severely screwed up this non 
critical application we assure you that they would never make 
similar mistakes in critical applications. It does not indicate
that we didn't audit SNORT before shamelessly repackaging it and
providing it with a "convenient single-target enviroment."

/*
Apex Intrusion Detection Solution (TM)
Copyright (C) 2003, Secure Network Operations, Inc.  All rights reserved.
-------------------------------------------------------------------------
http://www.secnetops.com

Compile gcc -o iptohex iptohex.c
usage: ./iptohex <IP-V4-ADDRESS>

Released under the GNU Public License.

*/

#include <curses.h>
#include <stdio.h>
#include <string.h>


char *ip(char *ip,char *iphex)
{
     char buf[80],buf2[80];
     int p=0,i=0;

     iphex[0] = 0;

     while(ip[p] != 0)
     {
          i=0;
          while(ip[p] != '.' && ip[p] != 0)
          {
             buf[i++]=ip[p++];
          }
          buf[i] = 0;
          sprintf(buf2,"%02X",atoi(buf));
          strcat(iphex,buf2);
          if (ip[p] != 0) p++;
     }
return iphex;
}

int main(int argc, char *argv[])
{
char buf[128];
char mkch[128];

if(argc == 1)
	{
	printf("usage : iptohex [ip address]\n");
	printf("return: hex\n");
	exit(0);
	}
strncpy(mkch, argv[1], 128);
printf("Ox%s\n",ip(mkch,buf));
return 0;
}

To begin tracing the bug down, compile the software and run it with a
long string of A's generated with perl -e on the command line.  If
you use enough A's, it should crash.  In the spirit of full
disclosure, we will allow the community to help track down all the issues with the program, and maybe help us better understand the very
languages that we are experts at.



Vendor Status           : Currently awaiting the assistance of
community members to help us track down why the program is crashing,
before we can issue a fix and send the latest version of the ANVIL
livecd to our customer.

Bugtraq URL             : To be assigned. CVE candidate CAN-2003-0911.

Special thanks to iDefense for allowing our "company" to participate
in the profiling of the Phrack High Council.  In the end, it seems we
are the ones that got "reconned", and that there are probably better
sources of "intelligence" than either Snosoft or iDefense.

Disclaimer
----------------------------------------------------------------------
This advisory was released by Secure Network Operations,Inc. as a 
matter of notification to help administrators protect their networks
against the described vulnerability. Exploit source code is no 
longer released in our advisories but can be obtained under 
contract.. Contact our sales department at sales@...netops.com for
further information on how to obtain proof of concept code.

----------------------------------------------------------------------
Secure Network Operations, Inc. || http://www.secnetops.com
"The act of reconning is a race condition; we attempt to recon you
before you recon us, but we aren't always as successful as we'd like."

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ