Network Security: Detailed info on Re: [Snort-sigs] SID 4638

Subject:	Re: [Snort-sigs] SID 4638
Date:	Fri, 1 Jun 2007 22:06:24 +0200 (CEST)

Hi,
maybe exploit on this link ? :
http://www.securityfocus.com/archive/1/396930

Credits:
Crusoe Researches
http://www.Crusoe-Researches.com
contact@Crusoe-Researches.com
=> Crusoe Researches have more than 1985 UNIQ 'snort' rules for Commercial 
Access
     (Contact me directly if you are interested)

Azwalaro French new nidps open source project
http://www.Crusoe-Researches.com/azwalaro/
azwalaro@Crusoe-Researches.com

Rmkml


On Fri, 1 Jun 2007, Paul Schmehl wrote:

Date: Fri, 01 Jun 2007 15:01:35 -0500
From: Paul Schmehl <pauls@utdallas.edu>
To: snort-sigs@lists.sourceforge.net
Subject: Re: [Snort-sigs] SID 4638

--On Friday, June 01, 2007 14:36:45 -0500 trains <trains@doctorunix.com> 
wrote:

Quoting Paul Schmehl <pauls@utdallas.edu>:

I'm trying to figure out what the exploit is for this rule, and the
FrSIRT "explanation" is a bit of a headscratcher.

Here's the rule:

alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"EXPLOIT RSVP Protocol
zero length object DoS attempt"; content:"|01|"; depth:1; offset:11;
byte_test:1,<,4,13; pcre:"/^.{10}[\x14\x15]\x01.{1}[\x00-\x03]/sm";
reference:url,www.frsirt.com/english/advisories/2005/0411;
classtype:attempted-dos; sid:4638; rev:3; )


It seems to me that to exploit this flaw, the victim would have to be
running tcpdump on a router that is running RSVP or possibly sniffing
the traffic between two routers running RSVP.

Then by engineering some special RSVP traffic out one router interface
the aggressor could crash tcpdump on the other router or on the
network monitoring device.

It does seem like a bit of a stretch for a small payoff (crash the
tcpdump process).  I suspect if I own one of your routers, you have a
way bigger problem than if I decide to crash your network monitor.

I would be included to call it a bad rule.  Can you post the packet
traces that are causing it to fire off?

Here you go.  I wouldn't call it a "bad" rule.  Not very useful might be a 
more accurate description.  I can see how it could be used in a directed 
attack to try and hide traffic, but that's about it.

F1 1D 05 00 00 EA B5 FE 27 00 14 01 00 00 17 4F
E8 AA FD 3C A1 C5 64 8F 10 C4 F5 08 07 80 A3 2B
49 AD B4 71 ED FC FD 67 4B B0 ED 7D 40 73 31 BD
77 9F 6E 00 68 4D 00 71 45 F0 1D BE 0C 9A 6C E3
D0 43 88 75 FB 11 22 5C 57 89 71 88 45 7F 76 AE
B0 C1 CE 69 B8 F6 5F BA CB BE FA 09 21 F8 FD 15
D8 DB E2 CB 6A B4 7F 6B A9 4C 40 B1 6D 03 64 03
7D BF 26 D3 A8 6B ED C9 FB 63 1A C1 D2 1C 5B A7
98 FD CA 3E D6 B3 44 44 06 04 48 3C 02 2D 9A 5A
DF 8D C8 FB 3E 40 6D D4 73 3F DB 82 13 B8 61 E4
8C 24 26 BC 11 57 00 42 2E A7 88 0E E5 68 11 61
A8 0D 31 D0 A1 9A D0 96 00 38 42 A8 1F 1D 0C 6F
C5 D1 2B DB 53 3C 28 05 E0 BE 95 91 7E 9E 7B 80
16 09 3B 42 71 1D 3C 9C 58 57 D0 82 D2 C3 7B EA
D3 56 5C E4 38 E4 BF AA 66 FD 8E DC C6 29 37 20
81 F1 4F C6 0B 58 EE 79 7A B6 D3 09 23 C0 61 EE
25 1C 8E 9A CA 15 5F E1 3D EF DA 73 06 AA 8C 35
87 08 9E BF 43 5B EE 87 54 E0 D8 53 2B 0A 74 ED
14 7D 22 44 F9 03 BD 40 1E 8E 41 8B E2 62 80 8F
D3 49 D4 D1 96 E8 4A CB 1B 51 72 9D 2A C8 AB CC
86 77 77 77 6D A8 C0 BD 31 3A CA 0A 4C 53 06 EF
5E 3F DC 8D 03 44 1F 3A 77 82 74 D5 30 D9 34 DE
A4 A0 60 1D 68 85 D0 E1 75 75 02 21 BA 65 35 98
0B 3D 05 51 AF 33 2C 57 13 E7 A7 8C 90 4C 54 A6
09 92 74 E2 11 C0 63 01 65 62 85 9F 39 AE 29 07
22 57 4C A0 85 E3 7F 29 DB 8D 00 17 C3 D0 0A D3
60 19 0C B9 52 B5 DF 6E 5E 5F C2 1A 00 73 FE 65
44 B2 49 8E 7F C6 4B D0 82 55 38 07 0B B6 3C 29
B9 08 94 9E 19 EE 05 8E 4B 70 64 06 D9 6B 36 81
07 4C C1 87 96 3A EA 85 70 BA 9D 57 D3 BF 70 CA
CB EA BA 29 80 DF 91 C5 E7 E3 1A 81 0C 41 B6 BC
74 98 9E 54 9F 9F 52 01 56 98 8C B1 62 A6 97 B9
43 0D 86 75 55 DA F6 BD 12 B6 5F BD 48 3F 6A 3D
1D 6B FA 96 BD 35 69 FF C5 20 5B F0 AA 4B 8B 05
4F F5 10 06 E4 1A E1 B1 D2 E9 10 49 8F EB AC 5C
BB E9 37 C6 41 F5 43 E8 B7 6A D6 F9 B6 6F 54 B8
25 61 7C E6 12 E0 0F 9F 2A 5E 51 D4 DE 69 05 1A
0C 66 B1 8B 8E 3C 0B EE 7E 48 84 76 32 0F 47 85
65 97 0C 1A A9 4A F0 25 09 D5 1E 4A EA DB 23 94
8D 73 BB AB 09 14 DA F2 0B 1D 38 29 A8 2F 99 D9
B8 4C C4 81 12 27 CF FB 7D 4E 43 48 89 70 D2 57
D6 23 68 98 0D 6C 3F E3 7D 1A 52 75 B3 7B 47 B6
62 F3 E3 34 C8 B9 D4 D9 4A 2B 07 4A 48 88 E2 FB
2E 55 86 11 77 77 CC 61 0D 40 E3 B8 1F 2F 6A DB
3E F6 75 75 44 92 5E E8 50 4D D3 B6 A3 17 8C 20
01 35 A6 3B D2 23 A2 7F 0B 30 4E 29 9F 75 EE 12
BA D7 19 86 6B 55 D0 C2 FF 39 5A 7D 94 8D 8E 81
6F 4D CC 5A 78 B0 B2 19 02 95 A4 77 53 9B D7 1B
39 06 71 55 F5 02 43 7E EC 33 D8 D4 B6 29 96 78
E8 9B A4 3B 90 B8 51 EC D3 2C D0 B0 11 77 FB A5
53 CF 07 38 BF 7D D9 4E B1 9E 1C 5F 30 59 E7 D6
86 17 A4 AF E4 A1 38 D5 CF A0 2F 1F E9 E3 4B 3E
65 3B D1 64 02 93 7A 65 A6 0E 72 C6 4B BE 77 D1
F0 46 77 8F A9 CF BD 96 5C 18 1E 9D F6 F9 05 C8
DA F6 82 94 61 18 18 9D 13 9F 33 CC A5 04 CA 32
A1 4B 86 72 7C 6E 8B 45 E2 11 8E 58 3E 00 5C C7
22 08 33 96 74 BB E8 60 26 7E 15 6F 9B E3 50 2D
00 0B E7 D9 6A EC 14 B1 DE 90 91 7E 67 42 49 3A
24 B9 DF B5 75 B4 AB 00 D4 81 B9 83 CC 17 DA 36
4F 9C DA 17 5A A2 6A 9E 89 D1 08 35 AB D7 73 5D
FA 64 7E 06 86 8F F1 D9 2F 77 CB 32 76 03 3F 0D
A0 16 E2 12 B4 C7 A8 09 16 BE 12 D9 A6 53 BB B6
30 3F C8 9E 40 BB FA 64 D5 22 1E D1 73 48 FE 6E
76 24 9E 01 D9 57 47 5D 55 46 3A 8A 19 48 E8 09
F8 C6 F1 60 40 15 1F 89 1C 30 B2 EC 9E 14 7B F5
B4 80 7F 9B 76 29 AA E2 9C D6 BE 7D 8E B7 54 0D
F7 C8 1A FF 5F A9 3A 98 84 18 1B CB 30 38 E5 DF
22 D2 F1 9D F8 F0 BE 80 81 0E 1F B4 A1 D4 4C 72
BE A9 B8 02 8B 4B CE B8 56 D1 9C A2 70 9C ED CF
14 5D E0 24 BF D5 49 99 D0 C2 94 A1 70 FE 52 CF
40 6A 0F 5D BF 55 96 5B 9B CA AC 05 1D 6B 02 0B
5D 1C 06 10 A8 91 1C 86 D6 0B 36 FE 8A 94 7E C9
43 3F 5E 1D DF A3 AC 0F 11 26 9A 56 59 52 4F C2
81 21 DF 35 38 B8 46 1D 45 52 85 74 EB 58 E3 54
DC 86 2D F9 63 41 FD 18 EB 83 79 47 3A B9 6F A9
8A 30 EA 7B 27 89 04 04 BD F0 E0 07 91 85 A6 9D
6D 2D F8 1B 0D DB E5 6F 79 97 D2 F5 22 BC C5 72
20 E1 B8 B9 D0 0E 8D 27 81 AF D4 74 E5 A1 9E DF
08 CB CE D5 AC 65 8A 89 21 4F 10 CD BA CB 2A 71
F3 11 60 6E AA FE 1E 5B EA 50 44 CE DC B0 AB 9D
B3 52 74 91 E0 C1 E7 B8 74 6D 4D DD 2D 9C 6C 22
41 CA 3A 83 FF 6D 24 CA 1B CA C3 FA 57 F3 F4 F9
3E 72

-- 
Paul Schmehl (pauls@utdallas.edu)
Senior Information Security Analyst
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/


-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

<Prev in Thread]	Current Thread	[Next in Thread>
[Snort-sigs] SID 4638, Paul Schmehl Re: [Snort-sigs] SID 4638, trains Re: [Snort-sigs] SID 4638, Paul Schmehl Re: [Snort-sigs] SID 4638, rmkml <= Re: [Snort-sigs] SID 4638, rmkml Re: [Snort-sigs] SID 4638, Paul Schmehl Re: [Snort-sigs] SID 4638, Jamie Riden Re: [Snort-sigs] SID 4638, Paul Schmehl Re: [Snort-sigs] SID 4638, Alex Kirk

Previous by Date:	Re: [Snort-sigs] SID 4638, Paul Schmehl
Next by Date:	Re: [Snort-sigs] SID 4638, rmkml
Previous by Thread:	Re: [Snort-sigs] SID 4638, Paul Schmehl
Next by Thread:	Re: [Snort-sigs] SID 4638, rmkml
Indexes:	[Date] [Thread] [Top] [All Lists]