Results 1 to 5 of 5

Thread: Snort RPC Preprocessing Vulnerability

  1. #1
    Join Date
    Nov 2002

    Exclamation Snort RPC Preprocessing Vulnerability

    ISS X-Force has discovered a remotely exploitable buffer overflow condition in Snort. Snort is an open source intrusion detection system. A buffer overflow flaw exists in Snort RPC preprocessing code that is vulnerable to attack.

    Remote attackers may exploit the buffer overflow condition to run arbitrary code on a Snort sensor with the privileges of the Snort IDS process, which typically runs as the superuser. The vulnerable preprocessor is enabled by default. It is not necessary to establish an actual connection to a RPC portmapper service to exploit this vulnerability.

    Snort may be installed by default on some commercially available network- security appliances. Remote attackers can exploit this vulnerability by directing the exploit towards any host on any network monitored by the Snort intrusion detection system. A successful attack can either crash the Snort sensor, or lead to complete remote compromise.

    ISS you are the besthttp://www.issadvisor.com/images/personal/pisson.gifbecause you piss on the rest

    [gloworange]www.issadvisor.com [/gloworange]

  2. #2
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Washington D.C. area
    A fix is already out for this. It only took about a half hour for them to nail it down.

    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  3. #3
    Join Date
    Nov 2002
    But it is going to take 20 minutes X ?10,000+? (snort's userbase) to ensure everyone is safe.
    ISS you are the besthttp://www.issadvisor.com/images/personal/pisson.gifbecause you piss on the rest

    [gloworange]www.issadvisor.com [/gloworange]

  4. #4
    Senior Member
    Join Date
    Nov 2001
    Snort has provided the following information about availability of patches
    for inclusion in this advisory:

    Sourcefire has acquired additional bandwidth and hosting to aid users
    wishing to upgrade their Snort implementation. Binaries are not available at
    this time, this is a source release only. As new binaries become available
    they will be added to the site.
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  5. #5
    Junior Member
    Join Date
    Feb 2003

    Exclamation Re: Snort RPC Preprocessing Vulnerability

    If you can't upgrade immediately, you should disable the RPC preprocessor:

    If you are in an environment that can not upgrade snort immediately, comment out the line in your snort.conf that begins:

    preprocessor rpc_decode

    and replace it with:

    # preprocessor rpc_decode
    Aim for the impossible, and you will achieve the improbable.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts