The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Snort

vulnerability announce CVE-2016-1417

Snort: executing DLL code via tcapi.dll

Synthesis of the vulnerability

An attacker can create a malicious tcapi.dll DLL, and then put it in the current directory of Snort, in order to execute code.
Impacted products: Snort.
Severity: 2/4.
Consequences: user access/rights.
Provenance: intranet server.
Creation date: 03/10/2016.
Identifiers: CVE-2016-1417, VIGILANCE-VUL-20752.

Description of the vulnerability

The Snort product uses external shared libraries (DLL).

However, if the working directory contains a malicious tcapi.dll DLL, it is automatically loaded.

An attacker can therefore create a malicious tcapi.dll DLL, and then put it in the current directory of Snort, in order to execute code.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin 12343

Snort: buffer overflow of Sourcefire VRT Rules

Synthesis of the vulnerability

When the administrator installed Sourcefire VRT Rules, and enabled the rule "3:20275", an attacker can use the DCE RPC EnumeratePrintShares function, in order to trigger an overflow in Snort, which may lead to code execution.
Impacted products: Snort.
Severity: 2/4.
Consequences: user access/rights, denial of service on service.
Provenance: intranet client.
Creation date: 21/01/2013.
Identifiers: BID-57476, CERTA-2013-AVI-056, VIGILANCE-VUL-12343.

Description of the vulnerability

The rule "3:20275" of Sourcefire VRT Rules detects the vulnerability CVE-2009-0228 (VIGILANCE-VUL-8778). This vulnerability is related to an overflow in EnumeratePrintShares, which lists print shares. This rule is not enabled by default.

This rule is implemented in the rule20275eval() function of the so_rules/src/netbios_kb961501-smb-printss-reponse.c file. This function checks if the number of entries in the EnumeratePrintShares message is not greater than 20, however it uses an array of 10 slots to store it. An attacker can therefore send a message containing between 11 and 20 entries, in order to trigger a buffer overflow.

When the administrator installed Sourcefire VRT Rules, and enabled the rule "3:20275", an attacker can therefore use the DCE RPC EnumeratePrintShares function, in order to trigger an overflow in Snort, which may lead to code execution.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2010-0102

IDS, IPS: Advanced Evasion Techniques

Synthesis of the vulnerability

Twenty three cases of standard techniques of packets variations are not detected by most IDS/IPS.
Impacted products: FW-1, CheckPoint Security Gateway, VPN-1, Cisco IPS, TippingPoint IPS, McAfee NTBA, Snort.
Severity: 2/4.
Consequences: data flow.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 23.
Creation date: 17/12/2010.
Identifiers: CVE-2010-0102, SBP-2010-31, SBP-2010-32, SBP-2010-33, SBP-2010-34, SBP-2010-35, VIGILANCE-VUL-10227.

Description of the vulnerability

IDS/IPS capture network frames, and analyze their content, in order to detect intrusions attempts. Attackers usually apply variations on these packets, in order to bypass IDS/IPS. Twenty three cases of standard techniques of packets variations are not detected by most IDS/IPS. These 23 cases use IPv4, TCP, SMB and MSRPC variations. They are based on methods known since 12 years. Stonesoft named these cases "Advanced Evasion Techniques". They were announced in VIGILANCE-ACTU-2612.

An attacker can send a SMB Write packet with a special "writemode" value, followed by other SMB Write packets to be ignored. [severity:2/4]

An attacker can split SMB Write data in packets containing only one byte, encapsulated in small IPv4/TCP fragments. [severity:2/4]

An attacker can duplicate each IPv4 packet, with additional IPv4 options. [severity:2/4]

An attacker can fragment MSRPC queries into packets containing at most 25 bytes of payload. [severity:2/4]

An attacker can send MSRPC messages where all integers are encoded as Big Endian instead of Little Endian. [severity:2/4]

An attacker can change NDR flags of MSRPC messages. [severity:2/4]

An attacker can create MSRPC fragmented messages in fragmented SMB messages. [severity:2/4]

An attacker can fragment SMB messages in blocks containing one byte of payload. [severity:2/4]

An attacker can fragment SMB messages in blocks containing at most 32 bytes of payload. [severity:2/4]

An attacker can use a SMB filename starting by "unused\..\". [severity:2/4]

An attacker can use overlapping TCP segments. [severity:2/4]

An attacker can send TCP segments in random order. [severity:2/4]

An attacker can fragment TCP data in blocks of one byte. [severity:2/4]

An attacker can use a second TCP session using the same port numbers. [severity:2/4]

An attacker can use a TCP session, where the first byte is sent with the urgent flag. [severity:2/4]

An attacker can send a NetBIOS message, with data similar to an HTTP GET query. [severity:2/4]

An attacker can inject 5 SMB Write inside a SMB Write. [severity:2/4]

An attacker can fragment a MSRPC query in TCP packets sent in the reverse order. [severity:2/4]

An attacker can fragment a MSRPC query in TCP packets sent in random order. [severity:2/4]

An attacker can fragment a MSRPC query in TCP packets sent with an initial sequence number near 0xFFFFFFFF. [severity:2/4]

An attacker can send an empty NetBIOS packet, before each NetBIOS message. [severity:2/4]

An attacker can send an invalid NetBIOS packet, before each NetBIOS message. [severity:2/4]

An attacker can use an unknown variation. [severity:2/4]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2009-3641

Snort: denials of service of IPv6

Synthesis of the vulnerability

When IPv6 is enabled, an attacker can send malformed packets in order to stop Snort.
Impacted products: Fedora, Snort.
Severity: 2/4.
Consequences: denial of service on service.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 2.
Creation date: 23/10/2009.
Identifiers: BID-36795, CVE-2009-3641, FEDORA-2009-10751, FEDORA-2009-10783, VIGILANCE-VUL-9117.

Description of the vulnerability

The Snort IDS can be compiled with the support of IPv6 (--enable-ipv6), and can be run in verbose mode (-v). However, two vulnerabilities impact this configuration.

An attacker can send an IPv6/TCP packet containing a TCP header truncated before the DataOffset field, which forces a read at an invalid memory address. [severity:2/4]

An attacker can send an IPv6/ICMP packet containing an ICMPv6 Node Information Query NOOP header with invalid data, which forces a read at an invalid memory address. [severity:2/4]

When IPv6 is enabled, an attacker can therefore send malformed packets in order to stop Snort.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert 9036

Snort: corruption of unified logs

Synthesis of the vulnerability

When the unified logging is enabled, an attacker can send special packets in order to corrupt the log file of Snort.
Impacted products: Snort.
Severity: 2/4.
Consequences: disguisement.
Provenance: internet client.
Creation date: 22/09/2009.
Identifiers: BID-36473, VIGILANCE-VUL-9036.

Description of the vulnerability

The Snort IDS can log events using several methods: syslog, database, unified, etc. The "unified" method (enabled in the snort.conf configuration file with "output ...unified: filename ...") logs data in a binary format.

The UnifiedLogStreamCallback() function of the output-plugins/spo_unified.c file builds the entry to log. However, when IP data are fragmented, the offset of fragments is not used, and every fragment thus overwrites the beginning of the record.

When the unified logging is enabled, an attacker can therefore send fragmented packets in order to corrupt the log file of Snort.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2008-1804

Snort: bypassing with fragments

Synthesis of the vulnerability

An attacker can fragment his IP packets in order to bypass all Snort rules.
Impacted products: Fedora, Mandriva Linux, Snort.
Severity: 3/4.
Consequences: data flow, disguisement.
Provenance: internet client.
Creation date: 22/05/2008.
Identifiers: BID-29327, CERTA-2008-AVI-261, CVE-2008-1804, FEDORA-2008-4986, FEDORA-2008-5001, FEDORA-2008-5045, MDVSA-2009:259, MDVSA-2009:259-1, VIGILANCE-VUL-7846.

Description of the vulnerability

The Snort frag3_engine preprocessor reassembles IP fragments.

The ttl_limit option of this preprocessor defines the maximal difference between TTL of fragments to reassemble. By default, ttl_limit is 5, thus following fragments are accepted:
 - first packet with a TTL of 40
 - second packet with a TTL of 41 (it can legitimately have taken a different route)
Following fragments are rejected without logging:
 - first packet with a TTL of 40
 - second packet with a TTL of 46
This option is useless. It is a conception error in Snort 2.6 and 2.8.

If the attacker fragments his IP packets with different TTL, he thus bypasses all Snort rules.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2005-4872 CVE-2006-7225 CVE-2006-7226

PCRE: integer overflows of regular expressions

Synthesis of the vulnerability

When attacker can change the regular expression used by a program, he can corrupt its memory in order for example to execute code.
Impacted products: Debian, Mandriva NF, NLD, OES, openSUSE, RHEL, Snort, SLES, Unix (platform) ~ not comprehensive, ESX.
Severity: 1/4.
Consequences: user access/rights, denial of service on service.
Provenance: document.
Number of vulnerabilities in this bulletin: 5.
Creation date: 12/11/2007.
Revision date: 29/11/2007.
Identifiers: BID-26462, BID-26725, BID-26727, CERTA-2007-AVI-513, CERTA-2008-AVI-103, CERTA-2008-AVI-207, CERTA-2008-AVI-239, CESA-2007-006, CVE-2005-4872, CVE-2006-7224-REJECT, CVE-2006-7225, CVE-2006-7226, CVE-2006-7227, CVE-2006-7228, DSA-1570-1, MDVSA-2008:012, RHSA-2007:1052-01, RHSA-2007:1052-02, RHSA-2007:1059-01, RHSA-2007:1063-01, RHSA-2007:1065-01, RHSA-2007:1068-01, RHSA-2007:1076-02, RHSA-2007:1077-01, RHSA-2008:0546-01, SUSE-SA:2007:062, SUSE-SA:2008:004, VIGILANCE-VUL-7332, VMSA-2008-0003, VMSA-2008-0003.1, VMSA-2008-0007, VMSA-2008-0007.1, VMSA-2008-0007.2.

Description of the vulnerability

The PCRE library implements Perl compatible regular expressions (different than POSIX). Several vulnerabilities affect this library.

An attacker can create an integer overflow in pcre_compile(), via "name_count" and "max_name_size". [severity:1/4; CERTA-2007-AVI-513, CVE-2006-7227]

A sequence like "(?P<0>)(?P<1>)" creates a denial of service. [severity:1/4; CVE-2005-4872]

An attacker can create several integer overflows in pcre_compile(), via "max", "min" and "duplength". [severity:1/4; CERTA-2008-AVI-103, CERTA-2008-AVI-207, CVE-2006-7228]

A special sequence such as "[[,abc,]]" creates a denial of service during its compilation. [severity:1/4; BID-26725, CVE-2006-7225]

A malicious sequence such as "(xxx(?P>B)){3}" can create a memory corruption. [severity:1/4; BID-26727, CVE-2006-7226]

When attacker can change the regular expression used by a program, he can thus corrupt its memory in order for example to execute code. In some cases, he can also read memory contents or create a denial of service.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2006-7230

PCRE: overflow of regular expressions

Synthesis of the vulnerability

When attacker can change the regular expression used by a program, he can corrupt its memory in order for example to execute code.
Impacted products: Debian, NLD, OES, openSUSE, RHEL, Snort, SLES, Unix (platform) ~ not comprehensive.
Severity: 1/4.
Consequences: user access/rights, denial of service on service.
Provenance: document.
Creation date: 19/11/2007.
Identifiers: BID-26550, CERTA-2008-AVI-239, CVE-2006-7230, DSA-1570-1, RHSA-2007:1059-01, RHSA-2007:1068-01, SUSE-SA:2007:062, SUSE-SA:2008:004, VIGILANCE-VUL-7354.

Description of the vulnerability

The PCRE library implements Perl compatible regular expressions (different than POSIX).

A regular expression can indicate a modifier, such as 'i' (case insensitive) or 'x' (ignore comments). For example:
  /hello/i

The modifier can be changed in the expression. For example:
  /hel(?i)lo(-i)/

However, PCRE incorrectly computes the memory size requested by 'i' and 'x' changes, which leads to an overflow.

When attacker can change the regular expression used by a program, he can thus corrupt its memory in order to execute code or to create a denial of service.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2007-1659 CVE-2007-1660 CVE-2007-1661

Perl, PCRE: vulnerabilities of regular expressions

Synthesis of the vulnerability

When attacker can change the regular expression used by a program, he can corrupt its memory in order for example to execute code.
Impacted products: Debian, Fedora, Tru64 UNIX, AIX, Mandriva Linux, Mandriva NF, NLD, OES, openSUSE, Solaris, Perl Core, PHP, RHEL, Snort, SLES, Unix (platform) ~ not comprehensive, ESX.
Severity: 2/4.
Consequences: user access/rights, denial of service on service.
Provenance: document.
Number of vulnerabilities in this bulletin: 8.
Creation date: 05/11/2007.
Revision date: 06/11/2007.
Identifiers: 231524, 315871, 315881, 323571, 6629836, BID-26346, BID-26350, c01362465, CERTA-2007-AVI-481, CERTA-2008-AVI-053, CERTA-2008-AVI-239, CVE-2007-1659, CVE-2007-1660, CVE-2007-1661, CVE-2007-1662, CVE-2007-4766, CVE-2007-4767, CVE-2007-4768, CVE-2007-5116, DSA-1399-1, DSA-1400-1, DSA-1570-1, FEDORA-2007-2944, FEDORA-2007-3255, FEDORA-2007-748, HPSBTU02311, IZ10220, IZ10244, IZ10245, MDKSA-2007:207, MDKSA-2007:211, MDKSA-2007:212, MDKSA-2007:213, RHSA-2007:0966-01, RHSA-2007:0967-01, RHSA-2007:0968-01, RHSA-2007:1011-01, RHSA-2007:1063-01, RHSA-2007:1065-01, RHSA-2007:1068-01, RHSA-2007:1126-01, RHSA-2008:0546-01, RHSA-2010:0602-02, SSRT080001, SUSE-SA:2007:062, SUSE-SA:2008:004, SUSE-SR:2007:024, SUSE-SR:2007:025, VIGILANCE-VUL-7311, VMSA-2008-0001, VMSA-2008-0001.1, VMSA-2008-0007, VMSA-2008-0007.1, VMSA-2008-0007.2.

Description of the vulnerability

The PCRE library implements Perl compatible regular expressions (opposed to POSIX). Several vulnerabilities affect this type of regular expressions.

A Perl regular expression can contain "\L...\E" to convert to lowercase, "\U...\E" to convert to uppercase and "\Q...\E" to disable metacharacters. However, the "\Q...\E" case is not correctly handled, which desynchronizes the regular expression engine and corrupts its memory. [severity:2/4; 315871, BID-26346, CVE-2007-1659]

The "[...]" brackets define character classes. In some cases, the memory allocated to store them is too short, which corrupts memory. [severity:2/4; 315881, BID-26346, CVE-2007-1660]

The "\X" sequence matches extended Unicode characters. The "\pL" sequences matches lowercases. The "\d" sequence matches integers. By combining these sequences in non UTF-8, an attacker can read memory. [severity:2/4; BID-26346, CVE-2007-1661]

Several functions can read past the end of string searching for parentheses or brackets. [severity:2/4; BID-26346, CVE-2007-1662]

Several integer overflows can occur during the handling of escape sequences. [severity:2/4; BID-26346, CVE-2007-4766]

The "\PX" or "\P{X}" sequence matches the property X. Several infinite loops and overflows occur during the handling of these sequences. [severity:2/4; BID-26346, CVE-2007-4767]

When string contains a unique Unicode sequence, an optimization is incorrectly done and leads to an overflow. [severity:2/4; BID-26346, CERTA-2008-AVI-053, CVE-2007-4768]

The Perl regular expression compiler uses two phases: the first one to compute the necessary size and the second to store data. However, by using Unicode characters, an attacker can store longer data. [severity:2/4; 323571, BID-26350, CERTA-2007-AVI-481, CVE-2007-5116]

When attacker can change the regular expression used by a program, he can thus corrupt its memory in order for example to execute code. In some cases, he can also read memory contents or create a denial of service.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2007-2688 CVE-2007-2689 CVE-2007-2734

IDS: bypassing IDS with half of full width characters

Synthesis of the vulnerability

An attacker can use half or full width Unicode characters in order to bypass several IDS.
Impacted products: VPN-1, ASA, IOS by Cisco, Cisco IPS, Cisco Router, TippingPoint IPS, Snort, StoneGate IPS.
Severity: 2/4.
Consequences: data flow.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 4.
Creation date: 15/05/2007.
Revisions dates: 16/05/2007, 22/05/2007.
Identifiers: 3COM-07-001, 91767, BID-23980, cisco-sr-20070514-unicode, CSCsi58602, CSCsi67763, CSCsi91487, CVE-2007-2688, CVE-2007-2689, CVE-2007-2734, CVE-2007-5793, GS07-01, VIGILANCE-VUL-6815, VU#739224.

Description of the vulnerability

Unicode character tables contain characters with similar displays. For example:
 - the 'à' character can be encoded U+00E0, or 'a' followed by the '`' combining diacritical (U+0061-U+0300)
 - the 'ff' string can be encoded U+0066-U+0066, or using the U+FB00 ligature
 - the 'a' character can be encoded U+0061, or using the full-width U+FF41 character (full-width characters have a fixed width, like typing machines ; full-width characters are mainly used as aliases for ASCII-127 characters ; half-width characters are mainly used for simplified Asian characters)

Some software automatically convert characters with a similar display. For example, PHP and ASP.NET convert full-width characters to ASCII-127 characters.

Some IPS/IPS not correctly handle half-width nor full-width characters.

An attacker can therefore use these characters to bypass the IDS.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Snort: