[Snort-devel] [Snort-2003-001] Buffer overflow in Snort RPC preprocessor
roesch at ...402...
Thu Mar 6 13:59:12 EST 2003
Nice to see this only took 4 days to make it to the list, glad it
wasn't important or anything...
On Monday, March 3, 2003, at 12:59 PM, Martin Roesch wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> Snort Vulnerability Advisory [SNORT-2003-001]
> Date: 2003-03-03
> Affected Snort Versions:
> Any version starting with version 1.8 to those before 2003-03-03 1PM/
> US/Eastern including 1.9.0 and CVS HEAD (Snort 2.0beta)
> A buffer overflow has been found in the snort RPC normalization
> routines by ISS X-Force. This can cause snort to execute arbitrary
> code embedded within sniffed network packets. This preprocessor is
> enabled by default.
> Snort 1.9.1 has been released to resolve this issue. For users using
> CVS HEAD, a fix has been committed to the source tree.
> If you are in an environment that can not upgrade snort immediately,
> comment out the line in your snort.conf that begins:
> preprocessor rpc_decode
> and replace it with
> # preprocessor rpc_decode
> When the rpc decoder normalizes fragmented RPC records, it incorrectly
> checks the lengths of what is being normalized against the current
> packet size.
> The rpc decoder in Snort 1.9.1 and above contains new alert options
> that can be used to help detect this attack
> Option Default State
> alert_fragments INACTIVE
> alert_large_fragments ACTIVE
> alert_incomplete ACTIVE
> alert_multiple_requests ACTIVE
> The first option will alert on any rpc fragmented record it finds.
> Large fragments will alert when the reassembled fragment record will
> exceed the current packet length. The incomplete record will alert
> when there is a partial record found. The alert_multiple_requests
> will alert when we find more than one RPC request per packet ( or
> reassembled packet ).
> Download Locations:
> Sourcefire has acquired additional bandwidth and hosting to aid users
> wishing to upgrade their Snort implementation. Binaries are currently
> not available, this is a source release only at this time. As new
> binaries become available they will be added to the site.
> Source code: http://www.snort.org/dl/snort-1.9.1.tar.gz
> GPG Signatures: http://www.snort.org/dl/snort-1.9.1.tar.gz.asc
> CVS HEAD (Snort 2.0beta) has been fixed as well.
> - -- Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
> Sourcefire: Snort-based Enterprise Intrusion Detection Infrastructure
> roesch at ...402... - http://www.sourcefire.com
> Snort: Open Source Network IDS - http://www.snort.org
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.7 (Darwin)
> -----END PGP SIGNATURE-----
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
Sourcefire: Snort-based Enterprise Intrusion Detection Infrastructure
roesch at ...402... - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org
More information about the Snort-devel