|
|
|
 |
Vulnerability Note VU#139129Heap overflow in Snort "stream4" preprocessorOverviewThe Snort "stream4" preprocessor module contains a vulnerability that allows remote attackers to execute arbitrary code with the privileges of the user running Snort, typically root.I. DescriptionResearchers at CORE Security Technologies have discovered a remotely exploitable heap overflow in the Snort "stream4" preprocessor module. This module allows Snort to reassemble TCP packet fragments for further analysis.To exploit this vulnerability, an attacker must disrupt the state tracking mechanism of the preprocessor module by sending a series of packets with crafted sequence numbers. This causes the module to bypass a check for buffer overflow attempts and allows the attacker to insert arbitrary code into the heap. For further information, please read the Core Security Technologies Advisory located at This vulnerability affects Snort versions 1.8.x, 1.9.x, and 2.0 prior to RC1. II. ImpactThis vulnerability allows remote attackers to execute arbitrary code with the privileges of the user running Snort, typically root. Please note that it is not necessary for the attacker to know the IP address of the Snort device they wish to attack; merely sending malicious traffic where it can be observed by an affected Snort sensor is sufficient to exploit these vulnerabilities.III. SolutionUpgrade to Snort 2.0This vulnerability is addressed in Snort version 2.0, which is available at Binary-only versions of Snort are available from Disable the "stream4" preprocessor module Sites that are unable to immediately upgrade affected Snort sensors may prevent exploitation of this vulnerability by commenting out the affected preprocessor module in the "snort.conf" configuration file. To do this, comment out the following line:
After commenting out the affected module, send a SIGHUP signal to the affected Snort process to update the configuration. Note that disabling this module may have adverse effects on a sensor's ability to correctly process TCP packet fragments. In particular, disabling this module will prevent the Snort sensor from detecting a variety of IDS evasion attacks. Block outbound packets from Snort IDS systems You may be able limit an attacker's capabilities if the system is compromised by blocking all outbound traffic from the Snort sensor. While this workaround will not prevent exploitation of the vulnerability, it may make it more difficult for the attacker to create a useful exploit. Systems Affected
References
This vulnerability was discovered by Bruce Leidl, Juan Pablo Martinez Kuhn, and Alejandro David Weil of Core Security Technologies. This document was written by Jeffrey P. Lanza.
If you have feedback, comments, or additional information about this vulnerability, please send us
email. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Get Adobe Reader