CVE-2006-2769: HTTP Inspect preprocessor evasion

Debian Bug report logs - #381726
CVE-2006-2769: HTTP Inspect preprocessor evasion

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Stefan Fritsch <sf@sfritsch.de>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: CVE-2006-2769: HTTP Inspect preprocessor evasion

Date: Sun, 06 Aug 2006 21:25:04 +0200

Package: snort
Severity: grave
Tags: security
Justification: user security hole

A security issue has been found in snort. Cite CVE-2006-2769:

The HTTP Inspect preprocessor (http_inspect) in Snort 2.4.0 through
2.4.4 allows remote attackers to bypass "uricontent" rules via a
carriage return (\r) after the URL and before the HTTP declaration.

AFAICS this problem is also in 2.3.

A patch (for 2.4) is available at
http://www.demarc.com/files/patch_20060531/snort-2.4.4-demarc-patch.diff

Message #10 received at 381726@bugs.debian.org (full text, mbox, reply):

From: Javier Fernández-Sanguino Peña <jfs@computer.org>

To: 381726@bugs.debian.org

Cc: control@bugs.debian.org

Subject: Review of this bug (and pending upload)

Date: Thu, 10 Aug 2006 07:54:41 +0200

[Message part 1 (text/plain, inline)]

severity 381726 normal
thanks

Demarc reported a security vulnerability to Snort through Bugtraq, this
"security" issue is actually a problem with the HTTP inspector module in
Snort which prevents it from detecting an attack against *Apache* web servers
(not others) because it doesn't take into account that a carriage return
might be included in the request and accepted (even if its not RFC). More
info in the attached text file.

FWI the 2.4.5 changelog of Snort says:
2006-06-05 - Snort 2.4.5 Released
    * Fixed potential evasion in URI content buffers
    * Fixed potential evasion in Stream4

So, actually, to evasion bugs were fixed in this engine.

I have backported both fixes to the 2.3.3-8 packages and have uploaded
a new snort package. However, I don't think that the 'grave' severity of this
bug stands and I'm downgrading it.

Notice that:

a) it is an evasion issue, not a security vulnerability. That is, it only
affects the ability of Snort to detect attacks (but much in the same way that
an *outdated* ruleset [1] could be considered a security issue)

b) it only affects attacks to Apache web servers

For reference, attached is the 2.4.4 vs.  2.4.5 patch (stripping other info)
which fixes the bug, it is easily backported to the 2.3.3 (there is only one
rejection, easy to solve). [2]

Regards

Javier

[1]  Like the one we are providing due to the license change in Snort, post
2.3, with the appearance of the VRT rules

[2] Even if asked to (in #320920) I'm not sure it is reasonable to do
an upgrade to 2.6.0 and provide a Snort package with *no* ruleset (which
means that the Snort service could not be started by default). Since people
now have to download it manually from snort.org as it is not provided
in the GPL package.

[CVE-2006-2769.diff (text/plain, attachment)]

[CVE-2006-2769.text (text/plain, attachment)]

[signature.asc (application/pgp-signature, inline)]

Message #17 received at 381726-close@bugs.debian.org (full text, mbox, reply):

From: Javier Fernandez-Sanguino Pen~a <jfs@computer.org>

To: 381726-close@bugs.debian.org

Subject: Bug#381726: fixed in snort 2.3.3-8

Date: Wed, 09 Aug 2006 23:02:13 -0700

Source: snort
Source-Version: 2.3.3-8

We believe that the bug you reported is fixed in the latest version of
snort, which is due to be installed in the Debian FTP archive:

snort-common_2.3.3-8_all.deb
  to pool/main/s/snort/snort-common_2.3.3-8_all.deb
snort-doc_2.3.3-8_all.deb
  to pool/main/s/snort/snort-doc_2.3.3-8_all.deb
snort-mysql_2.3.3-8_i386.deb
  to pool/main/s/snort/snort-mysql_2.3.3-8_i386.deb
snort-pgsql_2.3.3-8_i386.deb
  to pool/main/s/snort/snort-pgsql_2.3.3-8_i386.deb
snort-rules-default_2.3.3-8_all.deb
  to pool/main/s/snort/snort-rules-default_2.3.3-8_all.deb
snort_2.3.3-8.diff.gz
  to pool/main/s/snort/snort_2.3.3-8.diff.gz
snort_2.3.3-8.dsc
  to pool/main/s/snort/snort_2.3.3-8.dsc
snort_2.3.3-8_i386.deb
  to pool/main/s/snort/snort_2.3.3-8_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 381726@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Javier Fernandez-Sanguino Pen~a <jfs@computer.org> (supplier of updated snort package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Thu, 10 Aug 2006 00:44:36 +0200
Source: snort
Binary: snort-mysql snort-doc snort-rules-default snort-common snort-pgsql snort
Architecture: source i386 all
Version: 2.3.3-8
Distribution: unstable
Urgency: medium
Maintainer: Javier Fernandez-Sanguino Pen~a <jfs@computer.org>
Changed-By: Javier Fernandez-Sanguino Pen~a <jfs@computer.org>
Description: 
 snort      - Flexible Network Intrusion Detection System
 snort-common - Flexible Network Intrusion Detection System [common files]
 snort-doc  - Documentation for the Snort IDS [documentation]
 snort-mysql - Flexible Network Intrusion Detection System [MySQL]
 snort-pgsql - Flexible Network Intrusion Detection System [PostgreSQL]
 snort-rules-default - Flexible Network Intrusion Detection System ruleset
Closes: 381726
Changes: 
 snort (2.3.3-8) unstable; urgency=medium
 .
   * Fix security issue CVE-2006-2769, potential evasion in URI content
     buffers. This evasion only applies to Apache protected servers since
     that server supports some characters. The patch used is from 2.4.5
     and is *not* the one provided by Demarc (which is not fully
     comprehensive and is much more intrusive).
     Since this is an evasion issue and not a real security issue
     thus the 'medium' urgency even though it fixes security bug (Closes:
     #381726)
 .
     From upstream (snort.org webpage, News item "Possible Evasion in
     http_inspect"):
 .
      «The Apache web server supports special characters in HTTP requests that
      do not affect the processing of the particular request. The current
      target-based profiles for Apache in the http_inspect preprocessor do not
      properly handle these requests, resulting in the possibility that an
      attacker can bypass detection of rules that use the "uricontent" keyword
      by embedding special characters in a HTTP request.»
 .
      «It is important to note that this is an evasion and not a vulnerability.
      This means that while it is possible for an attacker to bypass detection,
      Snort sensors and the networks they protect are not at a heightened risk
      of other attacks.»
 .
   * Backport fix of another (different) potential evasion in Stream4 (also in
     the Snort 2.4.5 release, no CVE name)
   * Relocate Czech translation, it was not under debian/po
   * Add a warning in /etc/default/snort that the SNORT_USER will be
     modified (with usermod) every time you reinstall the package
     (don't change it to 'root'!)
Files: 
 5815a2ce3d8dc39fec057394fce1081e 961 net optional snort_2.3.3-8.dsc
 6cfe673ee3abbdf96d5003fec30527a4 350526 net optional snort_2.3.3-8.diff.gz
 24ee623d75c35c83514efe797997c759 94450 net optional snort-common_2.3.3-8_all.deb
 27f0b6579372d7aefc8889ee69f12fac 1800212 doc optional snort-doc_2.3.3-8_all.deb
 932993d0f895485512c1f976ff6ae402 233212 net optional snort-rules-default_2.3.3-8_all.deb
 db30e71458afba97b1c363675b4a98c0 358890 net optional snort_2.3.3-8_i386.deb
 705fd479250a20cc875f60ca83be25c5 365824 net extra snort-mysql_2.3.3-8_i386.deb
 e14329f507a72b07708c4144368f0609 365098 net optional snort-pgsql_2.3.3-8_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iQCVAwUBRNp1jPtEPvakNq0lAQJ6ygQAqohT7fCplPjPJBRZG2TYDTEuHaALknvC
bPikj1gUa+1Wy8QQeApJLpUqIMDIriTM9CA0+5OXc7npl59EymjhfwtKl2PpP0aP
W93GRhw7bQc9GkEXMD/9AWTBO57qNE3lvKJhOUCby9SE2x9MYTgZtJGWReFT8MfF
8QpKZA8jQH8=
=rpyL
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.