[Snort-users] BO preproc exploit published

byte_jump bytejump at ...11827...
Wed Oct 26 15:54:45 EDT 2005


On 10/26/05, Paul Melson <pmelson at ...11827...> wrote:
>
> I saw that in the release notes.  To date, my sensors have not detected any
> attempts to exploit the bo preproc.  I suppose that now that there's
> publicly available code that I ought to test it. ;)
>
> PaulM


I didn't spend a ton of time on it, but I used the exploit code
against a Snort 2.4.0 Snort box with the BO preprocessor enabled.
Snort had been compiled with the SPP gcc (formerly ProPolice) and was
on a 2.4 kernel with grsecurity/PaX. It wasn't a scientific test by
any means, but the exploit did not work and seemed to fail due to
ProPolice (this is a stack-based buffer overflow). The exploit did
work against a similar server without ProPolice and grsecurity.

Honestly, I'm very disappointed that 1) Sourcefire doesn't use
ProPolice and grsecurity on their sensors, and 2) that Snort.org does
not encourage folks to use those security mechanisms, too. Those
security measures certainly seemed to work in my less-than-scientific
test.




More information about the Snort-users mailing list