Vulnerability Note VU#139129

Heap overflow in Snort "stream4" preprocessor

Original Release date: 16 Apr 2003 | Last revised: 19 May 2003


The Snort "stream4" preprocessor module contains a vulnerability that allows remote attackers to execute arbitrary code with the privileges of the user running Snort, typically root.


Researchers at CORE Security Technologies have discovered a remotely exploitable heap overflow in the Snort "stream4" preprocessor module. This module allows Snort to reassemble TCP packet fragments for further analysis.

To exploit this vulnerability, an attacker must disrupt the state tracking mechanism of the preprocessor module by sending a series of packets with crafted sequence numbers. This causes the module to bypass a check for buffer overflow attempts and allows the attacker to insert arbitrary code into the heap.

For further information, please read the Core Security Technologies Advisory located at

This vulnerability affects Snort versions 1.8.x, 1.9.x, and 2.0 prior to RC1.


This vulnerability allows remote attackers to execute arbitrary code with the privileges of the user running Snort, typically root. Please note that it is not necessary for the attacker to know the IP address of the Snort device they wish to attack; merely sending malicious traffic where it can be observed by an affected Snort sensor is sufficient to exploit these vulnerabilities.


Upgrade to Snort 2.0

This vulnerability is addressed in Snort version 2.0, which is available at

Binary-only versions of Snort are available from

Disable the "stream4" preprocessor module

Sites that are unable to immediately upgrade affected Snort sensors may prevent exploitation of this vulnerability by commenting out the affected preprocessor module in the "snort.conf" configuration file. To do this, comment out the following line:

preprocessor stream4_reassemble

After commenting out the affected module, send a SIGHUP signal to the affected Snort process to update the configuration. Note that disabling this module may have adverse effects on a sensor's ability to correctly process TCP packet fragments. In particular, disabling this module will prevent the Snort sensor from detecting a variety of IDS evasion attacks.

Block outbound packets from Snort IDS systems

You may be able limit an attacker's capabilities if the system is compromised by blocking all outbound traffic from the Snort sensor. While this workaround will not prevent exploitation of the vulnerability, it may make it more difficult for the attacker to create a useful exploit.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
DebianAffected16 Apr 200319 May 2003
Gentoo LinuxAffected22 Apr 200319 May 2003
Guardian Digital Inc. Affected16 Apr 200319 May 2003
MandrakeSoftAffected16 Apr 200319 May 2003
SmoothWallAffected17 Apr 200321 Apr 2003
SnortAffected16 Apr 200317 Apr 2003
Apple Computer Inc.Not Affected16 Apr 200317 Apr 2003
ConectivaNot Affected16 Apr 200319 May 2003
FujitsuNot Affected16 Apr 200319 May 2003
Ingrian NetworksNot Affected16 Apr 200317 Apr 2003
NetBSDNot Affected16 Apr 200317 Apr 2003
Red Hat Inc.Not Affected16 Apr 200317 Apr 2003
SGINot Affected16 Apr 200317 Apr 2003
BSDIUnknown16 Apr 200317 Apr 2003
Cray Inc.Unknown16 Apr 200317 Apr 2003
If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A



This vulnerability was discovered by Bruce Leidl, Juan Pablo Martinez Kuhn, and Alejandro David Weil of Core Security Technologies.

This document was written by Jeffrey P. Lanza.

Other Information

  • CVE IDs: CAN-2003-0209
  • CERT Advisory: CA-2003-13
  • Date Public: 15 Apr 2003
  • Date First Published: 16 Apr 2003
  • Date Last Updated: 19 May 2003
  • Severity Metric: 30.99
  • Document Revision: 22


If you have feedback, comments, or additional information about this vulnerability, please send us email.