[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <JUMCH2F1CPIPL3F3ANP2OJH3LTMGP5OEGEKCOALZ@ziplip.com>
Date: Sat, 15 Nov 2003 15:44:35 -0800 (PST)
From: "snosoft@...lip.com" <snosoft@...lip.com>
To: full-disclosure@...ts.netsys.com
Cc: bugtraq@...urityfocus.com, vulndev@...urityfocus.com,
vulnwatch@...nwatch.org
Subject: Senseless Buffer Overflow in SNOSOFT.COM IDS Suite
Secure Network Operations, Inc. http://www.secnetops.com/research
Strategic Reconnaissance Team research@...netops.com
Team Lead Contact kf@...netops.com
Our Mission:
************************************************************************
Secure Network Operations offers expertise in Networking, Intrusion
Detection Systems (IDS), Software Security Validation, and
Corporate/Private Network Security. Our mission is to facilitate a
secure and reliable Internet and inter-enterprise communications
infrastructure through the products and services we offer.
Amongst which the expertise of 15 year old efnet hackers who are
allowed to operate under the guise of a single person's clearance
level. We encourage our staff's vivid imaginations and we feel that
playing spook is very much a teambuilding endeavour, not much
unlike corporate paintball.
To learn more about our company, products and services or to request
a demo of ANVIL FCS please visit our site athttp://www.secnetops.com,
or call us at: 978-263-3829
Quick Summary:
************************************************************************
Advisory Number : SRT2003-11-14-0911
Product : Snosoft Anvil IDS Suite
Version : All of 'em.
Vendor : http://twdx.secnetops.com/service
Class : Local
Criticality : High (to our one customer)
Operating System(s) : FreeBSD
Notice
************************************************************************
The full technical details of this vulnerability can be found at:
http://www.secnetops.com under the research section.
Basic Explanation
************************************************************************
High Level Description : Our best of security professionals understand
that strncpy is a safe function, so using it
for our primary input assures that we are
secure throughout the rest of our code.
What to do : To adequately protect yourself from threats,
we recommend that our one customer terminate
their contract with us and use Mike Schiffman
as their sole security provider.
Basic Technical Details
************************************************************************
Proof Of Concept Status : SNO has no concept.
Low Level Description : ANVIL is an overpriced IDS suite, that is
for all practical purposes nothing more than Snort repackaged on a
FreeBSD livecd, that logs to a mysql database using stunnel for
added security.
Essentially the only piece of unique code in this IDS suite, written
by the Snosoft Secure Network Something Team, is called ip-to-hex.c.
Since the program is short, we will include the entire GPL'd source
code in our advisory so that the world can understand how gifted we
are as both programmers and security experts.
We at SNO (Secure Network Operations) understand that every
programmer has two modes. Secure mode and insecure mode. And
allthough our teenybopper staff severely screwed up this non
critical application we assure you that they would never make
similar mistakes in critical applications. It does not indicate
that we didn't audit SNORT before shamelessly repackaging it and
providing it with a "convenient single-target enviroment."
/*
Apex Intrusion Detection Solution (TM)
Copyright (C) 2003, Secure Network Operations, Inc. All rights reserved.
-------------------------------------------------------------------------
http://www.secnetops.com
Compile gcc -o iptohex iptohex.c
usage: ./iptohex <IP-V4-ADDRESS>
Released under the GNU Public License.
*/
#include <curses.h>
#include <stdio.h>
#include <string.h>
char *ip(char *ip,char *iphex)
{
char buf[80],buf2[80];
int p=0,i=0;
iphex[0] = 0;
while(ip[p] != 0)
{
i=0;
while(ip[p] != '.' && ip[p] != 0)
{
buf[i++]=ip[p++];
}
buf[i] = 0;
sprintf(buf2,"%02X",atoi(buf));
strcat(iphex,buf2);
if (ip[p] != 0) p++;
}
return iphex;
}
int main(int argc, char *argv[])
{
char buf[128];
char mkch[128];
if(argc == 1)
{
printf("usage : iptohex [ip address]\n");
printf("return: hex\n");
exit(0);
}
strncpy(mkch, argv[1], 128);
printf("Ox%s\n",ip(mkch,buf));
return 0;
}
To begin tracing the bug down, compile the software and run it with a
long string of A's generated with perl -e on the command line. If
you use enough A's, it should crash. In the spirit of full
disclosure, we will allow the community to help track down all the issues with the program, and maybe help us better understand the very
languages that we are experts at.
Vendor Status : Currently awaiting the assistance of
community members to help us track down why the program is crashing,
before we can issue a fix and send the latest version of the ANVIL
livecd to our customer.
Bugtraq URL : To be assigned. CVE candidate CAN-2003-0911.
Special thanks to iDefense for allowing our "company" to participate
in the profiling of the Phrack High Council. In the end, it seems we
are the ones that got "reconned", and that there are probably better
sources of "intelligence" than either Snosoft or iDefense.
Disclaimer
----------------------------------------------------------------------
This advisory was released by Secure Network Operations,Inc. as a
matter of notification to help administrators protect their networks
against the described vulnerability. Exploit source code is no
longer released in our advisories but can be obtained under
contract.. Contact our sales department at sales@...netops.com for
further information on how to obtain proof of concept code.
----------------------------------------------------------------------
Secure Network Operations, Inc. || http://www.secnetops.com
"The act of reconning is a race condition; we attempt to recon you
before you recon us, but we aren't always as successful as we'd like."
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists