The Snort "stream4" preprocessor module contains a vulnerability that allows remote attackers to execute arbitrary code with the privileges of the user running Snort, typically root.
Researchers at CORE Security Technologies have discovered a remotely exploitable heap overflow in the Snort "stream4" preprocessor module. This module allows Snort to reassemble TCP packet fragments for further analysis.
This vulnerability allows remote attackers to execute arbitrary code with the privileges of the user running Snort, typically root. Please note that it is not necessary for the attacker to know the IP address of the Snort device they wish to attack; merely sending malicious traffic where it can be observed by an affected Snort sensor is sufficient to exploit these vulnerabilities.
Upgrade to Snort 2.0
Disable the "stream4" preprocessor module
Guardian Digital Inc.
Apple Computer Inc.
Red Hat Inc.
Sun Microsystems Inc.
The SCO Group (SCO Linux)
The SCO Group (SCO UnixWare)
Wind River Systems Inc.
This vulnerability was discovered by Bruce Leidl, Juan Pablo Martinez Kuhn, and Alejandro David Weil of Core Security Technologies.
This document was written by Jeffrey P. Lanza.