Vulnerability Note VU#175500

Snort Back Orifice preprocessor buffer overflow

Original Release date: 18 Oct 2005 | Last revised: 11 Nov 2005

Overview

A buffer overflow exists in the Snort Back Orifice preprocessor that may allow a remote, unauthenticated attacker to execute arbitrary code, possibly with elevated privileges.

Description

Snort is an open-source intrusion detection system (IDS). A lack of validation on attacker-controlled data may allow a buffer overflow to occur in the in Snort Back Orifice preprocessor. A remote, unauthenticated attacker may be able to trigger the buffer overflow by sending a specially crafted Back Orifice ping to a vulnerable Snort installation.

To exploit this vulnerability, an attacker does not need to send packets directly to the Snort sensor. It is sufficient to send packets to any of the hosts on the network monitored by Snort.

Impact

A remote attacker can execute arbitrary code with the privileges of the Snort process, typically root or SYSTEM.

Solution


Update

This issue has been addressed in Snort version 2.4.3.


Disable Snort Back Orifice preprocessor

Disabling the Snort Back Orifice preprocessor will mitigate this vulnerability. However, without the Snort preprocessor, the Snort sensor will not detect or prevent Back Orifice traffic. Snort suggests the following steps to disable the Back Orifice preprocessor:

    The Back Orifice preprocessor can be disabled by commenting out the line "preprocessor bo" in snort.conf. This can be done in any text editor using the following procedure:

    1. Locate the line "preprocessor bo"
    2. Comment out this line by preceding it with a hash (#). The new line will look like "#preprocessor bo"
    3. Save the file
    4. Restart snort

Systems Affected

VendorStatusDate NotifiedDate Updated
3com, Inc.Unknown18 Oct 200511 Nov 2005
AlcatelUnknown18 Oct 200511 Nov 2005
Apple Computer, Inc.Not Vulnerable18 Oct 200511 Nov 2005
AT&TUnknown18 Oct 200511 Nov 2005
Avaya, Inc.Not Vulnerable18 Oct 200511 Nov 2005
Avici Systems, Inc.Unknown18 Oct 200511 Nov 2005
Borderware TechnologiesUnknown18 Oct 200511 Nov 2005
BroUnknown11 Nov 200511 Nov 2005
Charlotte's Web NetworksUnknown18 Oct 200511 Nov 2005
Check Point Software TechnologiesUnknown18 Oct 200511 Nov 2005
Chiaro Networks, Inc.Unknown18 Oct 200511 Nov 2005
CIACUnknown11 Nov 200511 Nov 2005
Cisco Systems, Inc.Unknown18 Oct 200511 Nov 2005
Computer AssociatesUnknown18 Oct 200511 Nov 2005
Computer Associates eTrust Security ManagementUnknown10 Nov 200511 Nov 2005
View More »

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

This vulnerability was researched and reported by Internet Security Systems (ISS).

This document was written by Art Manion and Jeff Gennari.

Other Information

  • CVE IDs: CAN-2005-3252
  • Date Public: 18 Oct 2005
  • Date First Published: 18 Oct 2005
  • Date Last Updated: 11 Nov 2005
  • Severity Metric: 31.05
  • Document Revision: 37

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

This product is provided subject to the Notification as indicated here: http://www.us-cert.gov/legal.html#notify

Document Feedback

Was this document helpful?   Yes   |   Somewhat   |  No