|
|
|
View Notes By
|
|
|
|
Other Documents
|
|
|
|
 |
Vulnerability Note VU#196240
Sourcefire Snort DCE/RPC preprocessor does not properly reassemble fragmented packets
OverviewA vulnerability in the Sourcefire Snort DCE/RPC preprocessor may allow a remote, unauthenticated attacker to execute arbitrary code.
I. DescriptionSourcefire Snort is a widely-deployed, open-source network intrusion detection system (IDS). Snort and its components are used in other IDS products, notably Sourcefire, and Snort is included with a number of operating system distributions.
Snort preprocessors are modular plugins that extend functionality by operating on packets before the detection engine is run. The DCE/RPC preprocessor reassembles fragmented SMB and DCE/RPC packets so that Snort rules operate on a complete packet. The preprocessor does not properly reassemble SMB Write AndX commands, creating a stack buffer overflow vulnerability.
The DCE/RPC preprocessor is enabled by default and dynamically detects SMB traffic. An attacker does not have to complete a full TCP connection to exploit this vulnerability. According to ISS:
This vulnerability is in a dynamic-preprocessor enabled in the default configuration, and the configuration for this preprocessor allows for auto-recognition of SMB traffic to perform reassembly on. No checks are performed to see if the traffic is part of a valid TCP session, and multiple Write AndX requests can be chained in the same TCP segment. As a result, an attacker can exploit this overflow with a single TCP PDU sent across a network monitored by Snort or Sourcefire.
Note that this issue affects the following systems:
- Snort 2.6.1, 2.6.1.1, and 2.6.1.2
- Snort 2.7.0 beta 1
- Sourcefire Intrusion Sensors versions 4.1.x, 4.5.x, and 4.6.x with SEUs prior to SEU 64
- Sourcefire Intrusion Sensor Software for Crossbeam versions 4.1.x, 4.5.x and 4.6.x with SEUs prior to SEU 64
Exploit code for this vulnerability is publicly available.
This vulnerability occurred as a result of violating rule ARR33-C of the CERT Secure Coding Standard.
II. ImpactA remote, unauthenticated attacker may be able to execute arbitrary code with the privilege level of the Snort preprocessor. In most cases this would allow an attacker to compromise the system running Snort.
III. SolutionUpgrade
Sourcefire has released Snort 2.6.1.3 which is available from the Snort download site. See Snort document 2007-02-19 for more details. Sourcefire customers should see Sourcefire Support Login for more details on updates.
Disable the preprocessor
Disable the DCE/RPC preprocessor (dcerpc) by removing the DCE/RPC preprocessor directives from the configuration file (often /etc/snort.conf or user.conf). Note that disabling this preprocessor may allow fragmented attacks to evade the Snort sensor. See Sourcefire Advisory 2007-02-19 for more details.
Systems Affected
| Vendor | Status | Date Notified | Date Updated |
|---|
| 3com, Inc. | Unknown | 19-Feb-2007 |
| Alcatel | Unknown | 19-Feb-2007 |
| Apple Computer, Inc. | Not Vulnerable | 22-Feb-2007 |
| AT&T | Unknown | 19-Feb-2007 |
| Avaya, Inc. | Unknown | 19-Feb-2007 |
| Avici Systems, Inc. | Unknown | 19-Feb-2007 |
| Borderware Technologies | Unknown | 19-Feb-2007 |
| Charlotte's Web Networks | Unknown | 19-Feb-2007 |
| Check Point Software Technologies | Unknown | 19-Feb-2007 |
| Chiaro Networks, Inc. | Unknown | 19-Feb-2007 |
| Cisco Systems, Inc. | Not Vulnerable | 20-Feb-2007 |
| Clavister | Unknown | 19-Feb-2007 |
| Computer Associates | Unknown | 19-Feb-2007 |
| Conectiva Inc. | Unknown | 19-Feb-2007 |
| Cray Inc. | Unknown | 19-Feb-2007 |
| D-Link Systems, Inc. | Unknown | 19-Feb-2007 |
| Data Connection, Ltd. | Unknown | 19-Feb-2007 |
| EMC, Inc. (formerly Data General Corporation) | Unknown | 19-Feb-2007 |
| Engarde Secure Linux | Unknown | 19-Feb-2007 |
| Ericsson | Unknown | 19-Feb-2007 |
| eSoft, Inc. | Unknown | 19-Feb-2007 |
| Extreme Networks | Unknown | 19-Feb-2007 |
| F5 Networks, Inc. | Not Vulnerable | 23-Feb-2007 |
| Fedora Project | Unknown | 19-Feb-2007 |
| Force10 Networks, Inc. | Not Vulnerable | 22-Mar-2007 |
| Fortinet, Inc. | Unknown | 19-Feb-2007 |
| Foundry Networks, Inc. | Not Vulnerable | 30-Jan-2008 |
| FreeBSD, Inc. | Unknown | 19-Feb-2007 |
| Fujitsu | Unknown | 19-Feb-2007 |
| Gentoo Linux | Vulnerable | 12-Mar-2007 |
| Global Technology Associates | Unknown | 19-Feb-2007 |
| Hewlett-Packard Company | Unknown | 19-Feb-2007 |
| Hitachi | Unknown | 19-Feb-2007 |
| Hyperchip | Unknown | 19-Feb-2007 |
| IBM Corporation | Unknown | 19-Feb-2007 |
| IBM Corporation (zseries) | Unknown | 19-Feb-2007 |
| IBM eServer | Unknown | 19-Feb-2007 |
| Immunix Communications, Inc. | Unknown | 19-Feb-2007 |
| Ingrian Networks, Inc. | Unknown | 19-Feb-2007 |
| Intel Corporation | Not Vulnerable | 20-Feb-2007 |
| Internet Security Systems, Inc. | Not Vulnerable | 20-Feb-2007 |
| Intoto | Not Vulnerable | 20-Feb-2007 |
| IP Filter | Unknown | 19-Feb-2007 |
| Juniper Networks, Inc. | Not Vulnerable | 22-Feb-2007 |
| Linksys (A division of Cisco Systems) | Unknown | 19-Feb-2007 |
| Lucent Technologies | Unknown | 19-Feb-2007 |
| Luminous Networks | Unknown | 19-Feb-2007 |
| Mandriva, Inc. | Unknown | 19-Feb-2007 |
| Microsoft Corporation | Unknown | 19-Feb-2007 |
| MontaVista Software, Inc. | Unknown | 19-Feb-2007 |
| Multinet (owned Process Software Corporation) | Unknown | 19-Feb-2007 |
| Multitech, Inc. | Unknown | 19-Feb-2007 |
| NEC Corporation | Unknown | 19-Feb-2007 |
| NetBSD | Not Vulnerable | 20-Feb-2007 |
| netfilter | Unknown | 19-Feb-2007 |
| Network Appliance, Inc. | Unknown | 19-Feb-2007 |
| NextHop Technologies, Inc. | Unknown | 19-Feb-2007 |
| Nokia | Unknown | 19-Feb-2007 |
| Nortel Networks, Inc. | Vulnerable | 21-Feb-2007 |
| Novell, Inc. | Unknown | 19-Feb-2007 |
| OpenBSD | Unknown | 19-Feb-2007 |
| Openwall GNU/*/Linux | Not Vulnerable | 20-Feb-2007 |
| QNX, Software Systems, Inc. | Unknown | 19-Feb-2007 |
| Red Hat, Inc. | Not Vulnerable | 21-Feb-2007 |
| Redback Networks, Inc. | Unknown | 19-Feb-2007 |
| Riverstone Networks, Inc. | Unknown | 19-Feb-2007 |
| Secure Computing Network Security Division | Unknown | 19-Feb-2007 |
| Secureworx, Inc. | Unknown | 19-Feb-2007 |
| Silicon Graphics, Inc. | Unknown | 19-Feb-2007 |
| Slackware Linux Inc. | Unknown | 19-Feb-2007 |
| Snort | Vulnerable | 19-Feb-2007 |
| Sony Corporation | Unknown | 19-Feb-2007 |
| Sourcefire | Vulnerable | 19-Feb-2007 |
| Stonesoft | Unknown | 19-Feb-2007 |
| Sun Microsystems, Inc. | Unknown | 19-Feb-2007 |
| SUSE Linux | Unknown | 19-Feb-2007 |
| Symantec, Inc. | Unknown | 19-Feb-2007 |
| The SCO Group | Unknown | 19-Feb-2007 |
| Trustix Secure Linux | Unknown | 19-Feb-2007 |
| Turbolinux | Unknown | 19-Feb-2007 |
| Ubuntu | Unknown | 19-Feb-2007 |
| Unisys | Unknown | 19-Feb-2007 |
| Watchguard Technologies, Inc. | Unknown | 19-Feb-2007 |
| Wind River Systems, Inc. | Unknown | 19-Feb-2007 |
| ZyXEL | Unknown | 19-Feb-2007 |
References
https://www.securecoding.cert.org/confluence/x/GwAI
http://www.snort.org/docs/advisory-2007-02-19.html
https://support.sourcefire.com/
http://iss.net/threats/257.html
http://www.snort.org/docs/snort_htmanuals/htmanual_261/node104.html
http://www.snort.org/docs/release_notes/release_notes_2613.txt
http://www.snort.org/dl/
http://secunia.com/advisories/24235/
http://secunia.com/advisories/24190/
http://secunia.com/advisories/24272/
http://www.securityfocus.com/bid/22616
Credit
This vulnerability was reported and researched by Neel Mehta from IBM ISS X-Force.
This document was written by Chris Taschner and Art Manion.
Other Information
| Date Public: | 2007-02-19 |
| Date First Published: | 2007-02-19 |
| Date Last Updated: | 2008-01-30 |
| CERT Advisory: | |
| CVE-ID(s): | CVE-2006-5276 |
| NVD-ID(s): | CVE-2006-5276 |
| US-CERT Technical Alerts: | |
| Metric: | 23.62 |
| Document Revision: | 44 |
If you have feedback, comments, or additional information about this vulnerability, please send us
email.
|
|
Get Adobe Reader