Vulnerability Note VU#175500
Snort Back Orifice preprocessor buffer overflow
A buffer overflow exists in the Snort Back Orifice preprocessor that may allow a remote, unauthenticated attacker to execute arbitrary code, possibly with elevated privileges.
Snort is an open-source intrusion detection system (IDS). A lack of validation on attacker-controlled data may allow a buffer overflow to occur in the in Snort Back Orifice preprocessor. A remote, unauthenticated attacker may be able to trigger the buffer overflow by sending a specially crafted Back Orifice ping to a vulnerable Snort installation.
To exploit this vulnerability, an attacker does not need to send packets directly to the Snort sensor. It is sufficient to send packets to any of the hosts on the network monitored by Snort.
A remote attacker can execute arbitrary code with the privileges of the Snort process, typically root or SYSTEM.
1. Locate the line "preprocessor bo"
2. Comment out this line by preceding it with a hash (#). The new line will look like "#preprocessor bo"
3. Save the file
4. Restart snort
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|FreeBSD, Inc.||Affected||18 Oct 2005||18 Oct 2005|
|Nortel Networks, Inc.||Affected||18 Oct 2005||19 Oct 2005|
|Snort||Affected||14 Oct 2005||18 Oct 2005|
|Sourcefire||Affected||14 Oct 2005||26 Oct 2005|
|SUSE Linux||Affected||18 Oct 2005||19 Oct 2005|
|Ubuntu||Affected||18 Oct 2005||19 Oct 2005|
|Apple Computer, Inc.||Not Affected||18 Oct 2005||09 Nov 2005|
|Avaya, Inc.||Not Affected||18 Oct 2005||18 Oct 2005|
|Debian Linux||Not Affected||18 Oct 2005||11 Nov 2005|
|F5 Networks, Inc.||Not Affected||18 Oct 2005||19 Oct 2005|
|Global Technology Associates||Not Affected||18 Oct 2005||18 Oct 2005|
|Hitachi||Not Affected||18 Oct 2005||20 Oct 2005|
|Internet Security Systems, Inc.||Not Affected||14 Oct 2005||18 Oct 2005|
|Intoto||Not Affected||18 Oct 2005||11 Nov 2005|
|Juniper Networks, Inc.||Not Affected||18 Oct 2005||20 Oct 2005|
CVSS Metrics (Learn More)
This vulnerability was researched and reported by Internet Security Systems (ISS).
This document was written by Art Manion and Jeff Gennari.
- CVE IDs: CAN-2005-3252
- Date Public: 18 Oct 2005
- Date First Published: 18 Oct 2005
- Date Last Updated: 11 Nov 2005
- Severity Metric: 31.05
- Document Revision: 37
If you have feedback, comments, or additional information about this vulnerability, please send us email.