[VulnWatch] back orifice and snort - two words not to be used together

From: Chris Wysopal (weld_at_vulnwatch.org)
Date: 10/19/05

  • Next message: Cisco Systems Product Security Incident Response Team: "[VulnWatch] Cisco Security Advisory:Cisco 11500 Content Services Switch SSL Malformed Client Certificate Vulnerability"
    Date: Tue, 18 Oct 2005 17:05:41 -0500 (EST)
    To: vulnwatch@vulnwatch.org
    
    

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

                          National Cyber Alert System

                    Technical Cyber Security Alert TA05-291A

    Snort Back Orifice Preprocessor Buffer Overflow

        Original release date: October 18, 2005
        Last revised: --
        Source: US-CERT

    Systems Affected

          * Snort versions 2.4.0 to 2.4.2
          * Sourcefire Intrusion Sensors

        Other products that use Snort or Snort components may be affected.

    Overview

        The Snort Back Orifice preprocessor contains a buffer overflow that
        could allow a remote attacker to execute arbitrary code on a
        vulnerable system.

    I. Description

        Snort is a widely-deployed, open-source network intrusion detection
        system (IDS). Snort and its components are used in other IDS
        products, notably Sourcefire Intrusion Sensors, and Snort is
        included with a number of operating system distributions.

        Snort preprocessors are modular plugins that extend functionality
        by operating on packets before the detection engine is run. The
        Back Orifice preprocessor decodes packets to determine if they
        contain Back Orifice ping messages. The ping detection code does
        not adequately limit the amount of data that is read from the
        packet into a fixed-length buffer, thus creating the potential for
        a buffer overflow.

        The vulnerable code will process any UDP packet that is not
        destined to or sourced from the default Back Orifice port
        (31337/udp). An attacker could exploit this vulnerability by
        sending a specially crafted UDP packet to a host or network
        monitored by Snort.

        US-CERT is tracking this vulnerability as VU#175500. Further
        information is available in an advisory from Internet Security
        Systems (ISS).

    II. Impact

        A remote attacker who can send UDP packets to a Snort sensor may be
        able to execute arbitrary code. Snort typically runs with root or
        SYSTEM privileges, so an attacker could take complete control of a
        vulnerable system. An attacker does not need to target a Snort
        sensor directly; the attacker can target any host or network
        monitored by Snort.

    III. Solution

    Upgrade

        Sourcefire has released Snort 2.4.3 which is available from the
        Snort download site. For information about other vendors, please
        see the Systems Affected section of VU#175500.

    Disable Back Orifice Preprocessor

        To disable the Back Orifice preprocessor, comment out the line that
        loads the preprocessor in the Snort configuration file (typically
        /etc/snort.conf on UNIX and Linux systems):

          [/etc/snort.conf]
          ...
          #preprocessor bo
          ...

        Restart Snort for the change to take effect.

    Restrict Outbound Traffic

        Consider preventing Snort sensors from initiating outbound
        connections and restricting outbound traffic to only those hosts
        and networks that have legitimate requirements to communicate with
        the sensors. While this will not prevent exploitation of the
        vulnerability, it may make it more difficult for an attacker to
        access a compromised system or reconnoiter other systems.

    Appendix A. References

          * US-CERT Vulnerability Note VU#175500 -
            <http://www.kb.cert.org/vuls/id/177500>

          * Fixes and Mitigation Instructions Available for Snort Back
            Orifice Vulnerability -
            <http://www.snort.org/pub-bin/snortnews.cgi#99>

          * Snort downloads - <http://www.snort.org/dl/>

          * Snort 2.4.3 Changelog -
            <http://www.snort.org/docs/change_logs/2.4.3/Changelog.txt>

          * Preprocessors -
            <http://www.snort.org/docs/snort_htmanuals/htmanual_2.4/
            node11.html#SECTION00310000000000000000>

          * Snort Back Orifice Parsing Remote Code Execution -
            <http://xforce.iss.net/xforce/alerts/id/207>

      ____________________________________________________________________

        This vulnerability was researched and reported by Internet Security
        Systems (ISS).
      ____________________________________________________________________

        The most recent version of this document can be found at:

          <http://www.us-cert.gov/cas/techalerts/TA05-291A.html>
      ____________________________________________________________________

        Feedback can be directed to US-CERT Technical Staff. Please send
        email to <cert@cert.org> with "TA05-291A Feedback VU#175500" in the
        subject.
      ____________________________________________________________________

        For instructions on subscribing to or unsubscribing from this
        mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
      ____________________________________________________________________

        Produced 2005 by US-CERT, a government organization.

        Terms of use:

          <http://www.us-cert.gov/legal.html>
      ____________________________________________________________________

    Revision History

        Oct 18, 2005: Initial release

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.1 (GNU/Linux)

    iQEVAwUBQ1VB130pj593lg50AQLY6wf+Kq/rI3wxG4rGr+OdVrpl3v+TfTMp6MX3
    T0e99ybRSGKeWQCleMQYdBYrS+7UyCa28T1yE8ENe4SuYLPj7ttTqpd0AGxn7f8H
    +qOY0GnJwXvrWlKCfVtAhjo5JFDxgZQV9P/13MwjcsJrGTtHzhuJ8YZc4RtSMyVX
    4nf2s4Nymjd2+jIEX9BnwRIe/E47TRdFLSsza36mhKZLZV1lxLdJYywCZSsQLWNM
    nL9gohRojR/6wQk8sLjef8LCv2JFu3btsqrrblcTWqfB6GhVR9OSUBhL+b8P/mme
    jVd9eE0OS5v8rzhaEMiYIMI+pEZEpATj4BnVoLwPkLAoD6ObGJKHkQ==
    =jjID
    -----END PGP SIGNATURE-----


  • Next message: Cisco Systems Product Security Incident Response Team: "[VulnWatch] Cisco Security Advisory:Cisco 11500 Content Services Switch SSL Malformed Client Certificate Vulnerability"

    Relevant Pages