SkipNavigation
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric



 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

Vulnerability Note VU#196240

Sourcefire Snort DCE/RPC preprocessor does not properly reassemble fragmented packets

Overview

A vulnerability in the Sourcefire Snort DCE/RPC preprocessor may allow a remote, unauthenticated attacker to execute arbitrary code.

I. Description

Sourcefire Snort is a widely-deployed, open-source network intrusion detection system (IDS). Snort and its components are used in other IDS products, notably Sourcefire, and Snort is included with a number of operating system distributions.

Snort preprocessors are modular plugins that extend functionality by operating on packets before the detection engine is run. The DCE/RPC preprocessor reassembles fragmented SMB and DCE/RPC packets so that Snort rules operate on a complete packet. The preprocessor does not properly reassemble SMB Write AndX commands, creating a stack buffer overflow vulnerability.

The DCE/RPC preprocessor is enabled by default and dynamically detects SMB traffic. An attacker does not have to complete a full TCP connection to exploit this vulnerability. According to ISS:

    This vulnerability is in a dynamic-preprocessor enabled in the default configuration, and the configuration for this preprocessor allows for auto-recognition of SMB traffic to perform reassembly on. No checks are performed to see if the traffic is part of a valid TCP session, and multiple Write AndX requests can be chained in the same TCP segment. As a result, an attacker can exploit this overflow with a single TCP PDU sent across a network monitored by Snort or Sourcefire.
Note that this issue affects the following systems:
  • Snort 2.6.1, 2.6.1.1, and 2.6.1.2
  • Snort 2.7.0 beta 1
  • Sourcefire Intrusion Sensors versions 4.1.x, 4.5.x, and 4.6.x with SEUs prior to SEU 64
  • Sourcefire Intrusion Sensor Software for Crossbeam versions 4.1.x, 4.5.x and 4.6.x with SEUs prior to SEU 64
Exploit code for this vulnerability is publicly available.



This vulnerability occurred as a result of violating rule ARR33-C of the CERT Secure Coding Standard.

II. Impact

A remote, unauthenticated attacker may be able to execute arbitrary code with the privilege level of the Snort preprocessor. In most cases this would allow an attacker to compromise the system running Snort.

III. Solution

Upgrade

Sourcefire has released Snort 2.6.1.3 which is available from the Snort download site. See Snort document 2007-02-19 for more details. Sourcefire customers should see Sourcefire Support Login for more details on updates.

Disable the preprocessor

Disable the DCE/RPC preprocessor (dcerpc) by removing the DCE/RPC preprocessor directives from the configuration file (often /etc/snort.conf or user.conf). Note that disabling this preprocessor may allow fragmented attacks to evade the Snort sensor. See Sourcefire Advisory 2007-02-19 for more details.

Systems Affected

VendorStatusDate NotifiedDate Updated
3com, Inc.Unknown19-Feb-2007
AlcatelUnknown19-Feb-2007
Apple Computer, Inc.Not Vulnerable22-Feb-2007
AT&TUnknown19-Feb-2007
Avaya, Inc.Unknown19-Feb-2007
Avici Systems, Inc.Unknown19-Feb-2007
Borderware TechnologiesUnknown19-Feb-2007
Charlotte's Web NetworksUnknown19-Feb-2007
Check Point Software TechnologiesUnknown19-Feb-2007
Chiaro Networks, Inc.Unknown19-Feb-2007
Cisco Systems, Inc.Not Vulnerable20-Feb-2007
ClavisterUnknown19-Feb-2007
Computer AssociatesUnknown19-Feb-2007
Conectiva Inc.Unknown19-Feb-2007
Cray Inc.Unknown19-Feb-2007
D-Link Systems, Inc.Unknown19-Feb-2007
Data Connection, Ltd.Unknown19-Feb-2007
EMC, Inc. (formerly Data General Corporation)Unknown19-Feb-2007
Engarde Secure LinuxUnknown19-Feb-2007
EricssonUnknown19-Feb-2007
eSoft, Inc.Unknown19-Feb-2007
Extreme NetworksUnknown19-Feb-2007
F5 Networks, Inc.Not Vulnerable23-Feb-2007
Fedora ProjectUnknown19-Feb-2007
Force10 Networks, Inc.Not Vulnerable22-Mar-2007
Fortinet, Inc.Unknown19-Feb-2007
Foundry Networks, Inc.Not Vulnerable30-Jan-2008
FreeBSD, Inc.Unknown19-Feb-2007
FujitsuUnknown19-Feb-2007
Gentoo LinuxVulnerable12-Mar-2007
Global Technology AssociatesUnknown19-Feb-2007
Hewlett-Packard CompanyUnknown19-Feb-2007
HitachiUnknown19-Feb-2007
HyperchipUnknown19-Feb-2007
IBM CorporationUnknown19-Feb-2007
IBM Corporation (zseries)Unknown19-Feb-2007
IBM eServerUnknown19-Feb-2007
Immunix Communications, Inc.Unknown19-Feb-2007
Ingrian Networks, Inc.Unknown19-Feb-2007
Intel CorporationNot Vulnerable20-Feb-2007
Internet Security Systems, Inc.Not Vulnerable20-Feb-2007
IntotoNot Vulnerable20-Feb-2007
IP FilterUnknown19-Feb-2007
Juniper Networks, Inc.Not Vulnerable22-Feb-2007
Linksys (A division of Cisco Systems)Unknown19-Feb-2007
Lucent TechnologiesUnknown19-Feb-2007
Luminous NetworksUnknown19-Feb-2007
Mandriva, Inc.Unknown19-Feb-2007
Microsoft CorporationUnknown19-Feb-2007
MontaVista Software, Inc.Unknown19-Feb-2007
Multinet (owned Process Software Corporation)Unknown19-Feb-2007
Multitech, Inc.Unknown19-Feb-2007
NEC CorporationUnknown19-Feb-2007
NetBSDNot Vulnerable20-Feb-2007
netfilterUnknown19-Feb-2007
Network Appliance, Inc.Unknown19-Feb-2007
NextHop Technologies, Inc.Unknown19-Feb-2007
NokiaUnknown19-Feb-2007
Nortel Networks, Inc.Vulnerable21-Feb-2007
Novell, Inc.Unknown19-Feb-2007
OpenBSDUnknown19-Feb-2007
Openwall GNU/*/LinuxNot Vulnerable20-Feb-2007
QNX, Software Systems, Inc.Unknown19-Feb-2007
Red Hat, Inc.Not Vulnerable21-Feb-2007
Redback Networks, Inc.Unknown19-Feb-2007
Riverstone Networks, Inc.Unknown19-Feb-2007
Secure Computing Network Security DivisionUnknown19-Feb-2007
Secureworx, Inc.Unknown19-Feb-2007
Silicon Graphics, Inc.Unknown19-Feb-2007
Slackware Linux Inc.Unknown19-Feb-2007
SnortVulnerable19-Feb-2007
Sony CorporationUnknown19-Feb-2007
SourcefireVulnerable19-Feb-2007
StonesoftUnknown19-Feb-2007
Sun Microsystems, Inc.Unknown19-Feb-2007
SUSE LinuxUnknown19-Feb-2007
Symantec, Inc.Unknown19-Feb-2007
The SCO GroupUnknown19-Feb-2007
Trustix Secure LinuxUnknown19-Feb-2007
TurbolinuxUnknown19-Feb-2007
UbuntuUnknown19-Feb-2007
UnisysUnknown19-Feb-2007
Watchguard Technologies, Inc.Unknown19-Feb-2007
Wind River Systems, Inc.Unknown19-Feb-2007
ZyXELUnknown19-Feb-2007

References

https://www.securecoding.cert.org/confluence/x/GwAI
http://www.snort.org/docs/advisory-2007-02-19.html
https://support.sourcefire.com/
http://iss.net/threats/257.html
http://www.snort.org/docs/snort_htmanuals/htmanual_261/node104.html
http://www.snort.org/docs/release_notes/release_notes_2613.txt
http://www.snort.org/dl/
http://secunia.com/advisories/24235/
http://secunia.com/advisories/24190/
http://secunia.com/advisories/24272/
http://www.securityfocus.com/bid/22616

Credit

This vulnerability was reported and researched by Neel Mehta from IBM ISS X-Force.

This document was written by Chris Taschner and Art Manion.

Other Information

Date Public:2007-02-19
Date First Published:2007-02-19
Date Last Updated:2008-01-30
CERT Advisory: 
CVE-ID(s):CVE-2006-5276
NVD-ID(s):CVE-2006-5276
US-CERT Technical Alerts: 
Metric:23.62
Document Revision:44

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Produced 2007 by US-CERT, a government organization
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader