[UNIX] Buffer Overflow in Snort RPC Preprocessor
From: support@securiteam.com
Date: 03/07/03
- Previous message: support@securiteam.com: "[NEWS] New HP Jetdirect SNMP Password Vulnerability when Using Web JetAdmin"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: 7 Mar 2003 13:44:15 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
In the US?
Contact Beyond Security at our new California office
housewarming rates on automated network vulnerability
scanning. We also welcome ISPs and other resellers!
Please contact us at: 323-882-8286 or ussales@beyondsecurity.com
- - - - - - - - -
Buffer Overflow in Snort RPC Preprocessor
------------------------------------------------------------------------
SUMMARY
A buffer overflow has been found in the Snort RPC normalization routines
by ISS X-Force. This can cause Snort to execute arbitrary code embedded
within sniffed network packets. This preprocessor is enabled by default.
DETAILS
Vulnerable systems:
* Any version starting with version 1.8 to those before 2003-03-03
1PM/US/Eastern including 1.9.0 and CVS HEAD (Snort 2.0beta)
Immune systems:
* Snort 1.9.1
Details:
When the RPC decoder normalizes fragmented RPC records, it incorrectly
checks the lengths of what is being normalized against the current packet
size.
The RPC decoder in Snort 1.9.1 and above contains new alert options that
can be used to help detect this attack
Option Default State
alert_fragments INACTIVE
alert_large_fragments ACTIVE
alert_incomplete ACTIVE
alert_multiple_requests ACTIVE
The first option will alert on any RPC fragmented record it finds. Large
fragments will alert when the reassembled fragment record will exceed the
current packet length. The incomplete record will alert when there is a
partial record found. The alert_multiple_requests will alert when we find
more than one RPC request per packet ( or reassembled packet ).
Download Locations:
Sourcefire has acquired additional bandwidth and hosting to aid users
wishing to upgrade their Snort implementation. Binaries are currently not
available, this is a source release only at this time. As new binaries
become available they will be added to the site.
Source code: <http://www.snort.org/dl/snort-1.9.1.tar.gz>
http://www.snort.org/dl/snort-1.9.1.tar.gz
GPG Signatures: <http://www.snort.org/dl/snort-1.9.1.tar.gz.asc>
http://www.snort.org/dl/snort-1.9.1.tar.gz.asc
Mitigation:
If you are in an environment that can not upgrade snort immediately,
comment out the line in your snort.conf that begins:
preprocessor rpc_decode
And replace it with
# preprocessor rpc_decode
ADDITIONAL INFORMATION
The information has been provided by <mailto:roesch@sourcefire.com>
Martin Roesch.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[NEWS] New HP Jetdirect SNMP Password Vulnerability when Using Web JetAdmin"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
