Snort - white space vulnerability.
Results 1 to 5 of 5

Thread: Snort - white space vulnerability.

  1. #1
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,884

    Snort - white space vulnerability.

    THE SPLOIT DETAILS
    ======================
    Before I begin, this vulnerability is not specific to Snort alone. There are many IDS systems that are still using fixed strings to identify "bad" traffic. However, many others are doing the right thing and are stripping out white spaces and backspaces *before* applying their rule set.

    PLATFORM
    =====================
    RedHat 8.0 with all the latest patches
    Snort 1.9.1

    WHAT I DID
    ======================
    Telnet to SMTP server and added one additional space to the MAIL FROM command. (I wont post the actual command as security pros here know exactly what commands I'm using).

    WHAT SNORT DID
    ======================
    When adding the extra white space, snort was more than happy to allow the traffic through. Now, I know that myself and others have reported this to the snort developers a *long* time ago but the fix would require a ton of development work.

    Snort is a very good freeware tool but now that commercial IDS companies have started shipping whitespace and backspace aware IDS systems, I'd certainly invest a few bucks in one.

    Hope this helps out!
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  2. #2
    Antionline's Security Dude instronics's Avatar
    Join Date
    Dec 2002
    Posts
    901
    Nice. Very helpful and interesting. I wonder though, did the snort developers comment on this at all?

    Cheers.
    Ubuntu-: Means in African : "Im too dumb to use Slackware"

  3. #3
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,884
    Yes, the first time I reported this, they told me that in order to fix this, they would need to rewrite much of the engine. They also said that the task at hand for just 3 developers would be daunting and they didn't expect to fix it quickly. This was about a year ago. Since then, I always test new releases of snort for this issue. I think that my next step is to fire something off to BugTraq but I will wait for the next release before doing so.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  4. #4
    Senior Member tampabay420's Avatar
    Join Date
    Aug 2002
    Posts
    953
    not to bug ya, but the whitespace thing...
    where is the whitespace included, before / after / inside the targeted data?
    you mentioned backspaces, is it just spaces/backspaces- or is it any blank character (null, bell, etc...) thanx for the info- as i use snort for my IDS ... any know ways to protect against?

    btw- much propers on the find !
    yeah, I\'m gonna need that by friday...

  5. #5
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,884
    I put the whitespaces in between "MAIL FROM". This works for white spaces and backspaces and there is no fix available.

    Sorry to bring ya that little bit of bad news Tampa
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •