SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

Vulnerability Note VU#916785

Buffer overflow in Snort RPC preprocessor

Overview

There is a buffer overflow vulnerability in the RPC preprocessing feature of Snort versions 1.8 through 1.9.0 and 2.0 beta.

I. Description

Martin Roesch, the primary Snort developer, described the vulnerability by saying:

    When the RPC decoder normalizes fragmented RPC records, it incorrectly checks the lengths of what is being normalized against the current packet size, leading to an overflow condition. The RPC preprocessor is enabled by default.


The ISS X-Force team has published an advisory with additional information on this issue:

Information about this vulnerability can also be found on the Snort web site at:

II. Impact

A remote attacker can execute arbitrary code as the user running the Snort process, usually root. The attacker does not need to send packets directly to the Snort sensor. It is sufficient to send packets to any of the hosts on the network monitored by Snort.

III. Solution

Upgrade to Snort version 1.9.1


Disable the rpc_decode preprocessor
    You can prevent exploitation of this vulnerability by commenting out the rpc_decode preprocessor in the "snort.conf" configuration file. Note that this change may affect your ability to correctly process RPC record fragments.

Block outbound packets from Snort IDS systems
    You may be able limit an attacker's capabilities if the system is compromised by blocking all outbound traffic from the Snort sensor. While this workaround will not prevent exploitation of the vulnerability, it may make it more difficult for the attacker to create a useful exploit.

Systems Affected
VendorStatusDate NotifiedDate Updated
Apple Computer Inc.Not Vulnerable17-Apr-2003
BSDIUnknown17-Apr-2003
ConectivaVulnerable17-Apr-2003
Cray Inc.Unknown17-Apr-2003
Data GeneralUnknown17-Apr-2003
DebianVulnerable19-May-2003
FreeBSDUnknown17-Apr-2003
FujitsuNot Vulnerable19-May-2003
Gentoo LinuxVulnerable19-May-2003
Guardian Digital Inc. Vulnerable17-Apr-2003
Hewlett-Packard CompanyUnknown17-Apr-2003
IBMUnknown17-Apr-2003
Ingrian NetworksNot Vulnerable17-Apr-2003
MandrakeSoftVulnerable17-Apr-2003
MontaVista SoftwareUnknown17-Apr-2003
NEC CorporationUnknown17-Apr-2003
NetBSDNot Vulnerable17-Apr-2003
NokiaUnknown17-Apr-2003
OpenBSDUnknown17-Apr-2003
Openwall GNU/*/LinuxUnknown17-Apr-2003
Red Hat Inc.Not Vulnerable17-Apr-2003
SequentUnknown17-Apr-2003
SGINot Vulnerable17-Apr-2003
SmoothWallVulnerable21-Apr-2003
SnortVulnerable17-Apr-2003
Sony CorporationUnknown17-Apr-2003
Sun Microsystems Inc.Unknown17-Apr-2003
SuSE Inc.Unknown17-Apr-2003
The SCO Group (SCO Linux)Unknown17-Apr-2003
The SCO Group (SCO UnixWare)Unknown17-Apr-2003
UnisysUnknown17-Apr-2003
Wind River Systems Inc.Unknown17-Apr-2003
WirexUnknown17-Apr-2003

References


http://www.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21951
http://www.snort.org/dl/snort-1.9.1.tar.gz
http://marc.theaimsgroup.com/?l=bugtraq&m=104673386226064&w=2
http://www.iss.net/security_center/static/10956.php

Credit

Thanks to ISS X-Force for discovering this vulnerability, and to Martin Roesch for his assistance in developing this document.

This document was written by Cory F. Cohen.

Other Information

Date Public:2003-03-03
Date First Published:2003-03-03
Date Last Updated:2003-05-19
CERT Advisory:CA-2003-13
CVE-ID(s):CAN-2003-0033
NVD-ID(s):CAN-2003-0033
US-CERT Technical Alerts: 
Metric:6.41
Document Revision:21

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2003 Carnegie Mellon University
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader