March 3rd, 2003, 06:37 PM
Snort RPC Preprocessing Vulnerability
ISS X-Force has discovered a remotely exploitable buffer overflow condition in Snort. Snort is an open source intrusion detection system. A buffer overflow flaw exists in Snort RPC preprocessing code that is vulnerable to attack.
Remote attackers may exploit the buffer overflow condition to run arbitrary code on a Snort sensor with the privileges of the Snort IDS process, which typically runs as the superuser. The vulnerable preprocessor is enabled by default. It is not necessary to establish an actual connection to a RPC portmapper service to exploit this vulnerability.
Snort may be installed by default on some commercially available network- security appliances. Remote attackers can exploit this vulnerability by directing the exploit towards any host on any network monitored by the Snort intrusion detection system. A successful attack can either crash the Snort sensor, or lead to complete remote compromise.
March 3rd, 2003, 06:40 PM
A fix is already out for this. It only took about a half hour for them to nail it down.
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
March 3rd, 2003, 06:55 PM
But it is going to take 20 minutes X ?10,000+? (snort's userbase) to ensure everyone is safe.
March 3rd, 2003, 07:22 PM
Snort has provided the following information about availability of patches
for inclusion in this advisory:
Sourcefire has acquired additional bandwidth and hosting to aid users
wishing to upgrade their Snort implementation. Binaries are not available at
this time, this is a source release only. As new binaries become available
they will be added to the site.
Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”
March 4th, 2003, 09:23 AM
Re: Snort RPC Preprocessing Vulnerability
If you can't upgrade immediately, you should disable the RPC preprocessor:
If you are in an environment that can not upgrade snort immediately, comment out the line in your snort.conf that begins:
and replace it with:
# preprocessor rpc_decode
Aim for the impossible, and you will achieve the improbable.