[Snort-devel] [Snort-2003-001] Buffer overflow in Snort RPC preprocessor

Martin Roesch roesch at ...402...
Thu Mar 6 13:59:12 EST 2003


Nice to see this only took 4 days to make it to the list, glad it 
wasn't important or anything...

       -Marty


On Monday, March 3, 2003, at 12:59 PM, Martin Roesch wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Snort Vulnerability Advisory [SNORT-2003-001]
>
> Date: 2003-03-03
>
> Affected Snort Versions:
>
> Any version starting with version 1.8 to those before 2003-03-03 1PM/ 
> US/Eastern including 1.9.0 and CVS HEAD (Snort 2.0beta)
>
> Synopsis:
>
> A buffer overflow has been found in the snort RPC normalization 
> routines by ISS X-Force.  This can cause snort to execute arbitrary 
> code embedded within sniffed network packets. This preprocessor is 
> enabled by default.
>
> Snort 1.9.1 has been released to resolve this issue. For users using 
> CVS HEAD, a fix has been committed to the source tree.
>
> Mitigation:
>
> If you are in an environment that can not upgrade snort immediately, 
> comment out the line in your snort.conf that begins:
>
> preprocessor rpc_decode
>
> and replace it with
>
> # preprocessor rpc_decode
>
> Details:
>
> When the rpc decoder normalizes fragmented RPC records, it incorrectly 
> checks the lengths of what is being normalized against the current 
> packet size.
>
> The rpc decoder in Snort 1.9.1 and above contains new alert options 
> that can be used to help detect this attack
>
> Option                    Default State
>
> alert_fragments           INACTIVE
> alert_large_fragments     ACTIVE
> alert_incomplete          ACTIVE
> alert_multiple_requests   ACTIVE
>
>
> The first option will alert on any rpc fragmented record it finds. 
> Large fragments will alert when the reassembled fragment record will 
> exceed the current packet length.  The incomplete record will alert 
> when there is a partial record found.  The alert_multiple_requests 
> will alert when we find more than one RPC request per packet ( or 
> reassembled packet ).
>
> Download Locations:
>
> Sourcefire has acquired additional bandwidth and hosting to aid users 
> wishing to upgrade their Snort implementation.  Binaries are currently 
> not available, this is a source release only at this time.  As new 
> binaries become available they will be added to the site.
>
> Source code: http://www.snort.org/dl/snort-1.9.1.tar.gz
> GPG Signatures: http://www.snort.org/dl/snort-1.9.1.tar.gz.asc
>
> CVS HEAD (Snort 2.0beta)  has been fixed as well.
>
> - -- Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
> Sourcefire: Snort-based Enterprise Intrusion Detection Infrastructure
> roesch at ...402... - http://www.sourcefire.com
> Snort: Open Source Network IDS - http://www.snort.org
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.7 (Darwin)
>
> iD8DBQE+Y5gfqj0FAQQ3KOARAkENAJ0Zf0tGT/BilYA32bIuQF0Te/A2bgCfWRu2
> OoXy1dQb8B/1/AEbTDqjxSA=
> =NQ8d
> -----END PGP SIGNATURE-----
>
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
>
>
-- 
Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
Sourcefire: Snort-based Enterprise Intrusion Detection Infrastructure
roesch at ...402... - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org





More information about the Snort-devel mailing list