Results 1 to 7 of 7

Thread: Infocon Yellow: Snort BO Vulnerability (NEW)

  1. #1
    Senior Member
    Join Date
    Dec 2004
    Posts
    3,171

    Infocon Yellow: Snort BO Vulnerability (NEW)

    After some deliberation, we feel that the Snort Back Orifice pre-processor vulnerability could become a big problem very fast. As a result, we turned the Infocon status to 'yellow'.

    A number of exploits for this vulnerability has now been published ranging from denial of service to remote code execution exploits.

    You have a problem if you run Snort Version 2.4 (other then 2.4.3), and if you have the 'bo' preprocessor enabled.

    Why do we think this is a big deal:

    * The exploit is rather easy to write. Yes, its specific to a particular binary, but there are a number of common binaries deployed in large numbers.
    * It uses a single UDP packet, which can lead to very fast spreading worms.
    * The UDP packet can be spoofed, and can use any port combination.
    * Snort is very popular. A fast spreading (noisy) UDP worm could lead to local slowdowns/outages.

    The quick fix is to disable the BO preprocessor. Please do so NOW (if you haven't already). Worry about upgrading snort later, after you have done your testing. But going through this myself, its not that hard.

    Snort before version 2.4 is not vulnerable. Neither is any Snort install that does not have the bo preprocessor enabled.

    Please let us know if you see exploits posted, or have other details to share. We expect to stay on 'yellow' for about 12-24 hrs unless there are any new developments.

    Handler's Diary October 20th 2005

    previous -
    Snort BO status update (NEW)
    Published: 2005-10-20,
    Last Updated: 2005-10-20 05:27:33 UTC by Kyle Haugsness (Version: 1)

    Here is an update regarding the Snort Back Orifice pre-processor vulnerability...(Kyle Haugsness Oct. 20 05:30 UTC)

    When this vulnerability was announced yesterday, I was curious to see how difficult this would be to exploit due to the widespread nature of Snort. After doing a little research on the encryption method in Back Orifice, I was able to develop working exploit code in 2 hours. Bad news!! Of course, we aren't in the business of releasing exploits, so this code is staying private. Now, it appears that HD Moore is very close to having exploit code working as a plugin to metasploit. If we haven't said it loudly enough already, PLEASE UPGRADE your Snort sensors or disable the BO pre-processor if running the vulnerable versions of Snort 2.4 series. I checked the 2.3.2 source tree today and it is not vulnerable.

    How about defensive measures? If you are running Snort and are able to upgrade, then the new version should detect the exploit attempt. But I am working on two additional defensive tools. The first is a Snort signature that should catch the exploit attempt. This should be available real soon now (tm).

    The second tool may prove to be much more valuable. This tool is necessary because of the fact that the exploit can be triggered on any UDP port (except 31337) and that all Back Orifice traffic is encrypted. I don't want to give away more information at this point, since it will help the exploit writers. The tool is a standalone program that utilizes libpcap to sniff traffic and decode UDP traffic looking for the exploit. It will be useful to folks that can't upgrade their Snort daemon to get the new detection it provides, but still want to see if they are being attacked. Secondly, this will be useful to people running a different IDS system that can't decode the Back Orifice encryption. Third, it will probably be very useful in identifying a global worm outbreak.

    Since time is of the essence here, I am hoping to have this tool available very shortly. It will require libpcap and is being developed on Debian Linux. It will not require Snort to be running. Since code portability isn't my strong suit, we may be looking for people to test and port the code to FreeBSD, Solaris, etc. Please drop us an e-mail if you would be willing to help in this area. The source code is currently about 800 lines.



    http://isc.sans.org/diary.php
    SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System - Current Infosec News and Analysis

  2. #2
    Senior Member
    Join Date
    Dec 2004
    Posts
    3,171
    As a follow-up...

    A vulnerability in the Snort open-source intrusion detection software puts companies at serious risk, the researcher who discovered the bug said Wednesday. "The vulnerability is very easy to exploit, and potentially quite workable," said Neel Mehta, the team leader for Internet Security Systems' (IS) X-force research group, and the discoverer of the flaw. The vulnerability is in Snort's preprocessor component used to detect an older, and essentially obsolete, Trojan, Back Orifice. A single UDP packet can trigger a stack-based overflow, allowing an attacker to fully compromise a system or appliance running Snort or Sourcefire, which also uses the Snort code, said Mehta. Snort is an open-source intrusion detection system (IDS) used by more than 100,000 companies and government agencies to defend networks, according to its developer, Sourcefire. The Snort code is also tucked inside at least 45 commercially-sold IDS appliances.
    http://www.hackinthebox.org/modules....icle&sid=18292
    Serious Snort Bug Could Lead To Next Slammer :: Hack In The Box :: Keeping Knowledge Free

  3. #3
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    Location
    The Great White North
    Posts
    1,867
    Back to Green.

    We've decided to go back to green on the Snort Back Orifice pre-processor buffer overflow vulnerability. The reason for ratcheting down to green is primarily this: if you haven't shut off the Back Orifice preprocessor by now or come up with another work around, you probably aren't going to in the near future. This is still a hugely important issue, but our infocon status is designed to reflect changes in the threat level. So, we're back at green, but reserve the right to go to Yellow or higher if a worm starts to spread using this vulnerability.
    Cheers:
    DjM

  4. #4
    Senior Member
    Join Date
    Dec 2004
    Posts
    3,171
    Hi DjM,

    Let's hope everyone got the message this time and did what they're supposed to ..the threat is still there they're just assuming that if someone hasn't protected themselves by now, they're not going to.

    Eg

  5. #5
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,785
    something else we can indirectly thank cDc for!
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  6. #6
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    Location
    The Great White North
    Posts
    1,867
    Originally posted here by Tedob1
    something else we can indirectly thank cDc for!
    Isn't that dead cow, dead yet?

    Cheers:
    DjM

  7. #7
    True, that it only takes one UDP packet to trip the system, but the exploit physically cannot be coded to affect every version of Snort into one packet.

    This is not the Witty Worm, and it's not the Slammer worm either. For as "trivial" as ISS claims it to be, I don't see a worm out yet!!!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •