193809 – (CVE-2006-2769) CVE-2006-2769 Snort URIContent Rules Detection Evasion Vulnerability

Bug 193809 (CVE-2006-2769) - CVE-2006-2769 Snort URIContent Rules Detection Evasion Vulnerability

Summary: CVE-2006-2769 Snort URIContent Rules Detection Evasion Vulnerability

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	CVE-2006-2769
Product:	Fedora
Classification:	Fedora
Component:	snort
Sub Component:
Version:	rawhide
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Dennis Gilmore
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2006-06-01 18:56 UTC by Dennis Gilmore
Modified:	2007-11-30 22:11 UTC (History)
CC List:	2 users (show)
Fixed In Version:	2.6.0-1
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2006-06-29 11:34:53 UTC
Type:	---
Dependent Products:

Attachments	(Terms of Use)

Description Dennis Gilmore 2006-06-01 18:56:27 UTC

Snort is reportedly prone to a vulnerability that may allow malicious packets 
to bypass detection. 

A successful attack can allow attackers to bypass intrusion detection and to 
carry out attacks against computers protected by Snort.

This vulnerability affects Snort 2.4.4. Other versions may be vulnerable as 
well.

there is no CVE yet

Demarc snort-2.4.4-demarc-patch.diff
 http://www.demarc.com/files/patch_20060531/snort-2.4.4-demarc-patch.diff

Comment 1 Dennis Gilmore 2006-06-02 15:24:03 UTC

I've applied the supplied patch. 

Fixed in 2.4.4-4 

Hans  would you mind doing an audit of the snort code?  this is the second 
similar vulnerability this year

Comment 2 Dennis Gilmore 2006-06-02 20:08:26 UTC

turns out that the patch is incomplete.

Comment 3 Ville Skyttä 2006-06-03 18:47:44 UTC

FYI: due to rawhide libpcap packaging issues, libpcap may have been statically
linked in in the current devel snort package, see bug 193189 comment 2

One possible workaround: BuildRequire both libpcap and libpcap-devel

Comment 4 Ville Skyttä 2006-06-29 09:48:47 UTC

Ping, status update?

Comment 5 Dennis Gilmore 2006-06-29 11:34:53 UTC

I was looking at thins last night.  I have updated to 2.6.0  since and 
according to snort.org its fixed there

Sourcefire is aware of a possible Snort evasion that exists in the 
http_inspect preprocessor. This evasion case only applies to protected Apache 
web servers. We have prepared fixes for both the 2.4 and 2.6 branches and will 
have fully tested releases, including binaries, available for both on Monday, 
June 5th.
 
 
 Evasion Details:
 
 The Apache web server supports special characters in HTTP requests that do 
not affect the processing of the particular request. The current target-based 
profiles for Apache in the http_inspect preprocessor do not properly handle 
these requests, resulting in the possibility that an attacker can bypass 
detection of rules that use the "uricontent" keyword by embedding special 
characters in a HTTP request.
 
 
 Background Information:
 
 It is important to note that this is an evasion and not a vulnerability. This 
means that while it is possible for an attacker to bypass detection, Snort 
sensors and the networks they protect are not at a heightened risk of other 
attacks.
 
 
 Timeline:
 
 Sourcefire has prepared fixes and is currently finalizing a complete round of 
testing to ensure that the fixes not only solve the issue at hand but do not 
create new bugs as well. The following releases, including binaries for Linux 
and Windows deployments, will be available on Monday, June 5th:
 
 * Snort v2.4.5
 * Snort v2.6.0 final
 
 
 Questions:
 
 Any questions regarding these releases can be sent to 
snort-team.

Note You need to log in before you can comment on or make changes to this bug.