Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Unix :: General :: bt9.txt

Multiple Vulnerabilities in Snort Preprocessors





CERT Advisory CA-2003-13 Multiple Vulnerabilities in Snort Preprocessors

   Original release date: April 17, 2003
   Last revised: --
   Source: CERT/CC

   A complete revision history can be found at the end of this file.

Systems Affected

     * Snort IDS, versions 1.8 through 2.0 RC1

Overview

   There are two vulnerabilities in the Snort Intrusion Detection System,
   each  in  a  separate  preprocessor module. Both vulnerabilities allow
   remote  attackers to execute arbitrary code with the privileges of the
   user running Snort, typically root.

I. Description

   The   Snort  intrusion  detection  system  ships  with  a  variety  of
   preprocessor  modules  that  allow  the  user  to  selectively include
   additional    functionality.    Researchers   from   two   independent
   organizations have discovered vulnerabilities in two of these modules,
   the  RPC  preprocessor  and  the  "stream4"  TCP  fragment  reassembly
   preprocessor.

   For additional information regarding Snort, please see
   
     http://www.snort.org/.

   VU#139129 - Heap overflow in Snort "stream4" preprocessor (CAN-2003-0029)

   Researchers  at  CORE Security Technologies have discovered a remotely
   exploitable  heap overflow in the Snort "stream4" preprocessor module.
   This  module  allows  Snort  to  reassemble  TCP  packet fragments for
   further analysis.

   To  exploit  this  vulnerability,  an  attacker must disrupt the state
   tracking  mechanism  of the preprocessor module by sending a series of
   packets  with  crafted  sequence  numbers.  This  causes the module to
   bypass a check for buffer overflow attempts and allows the attacker to
   insert arbitrary code into the heap.

   For additional information, please read the Core Security Technologies
   Advisory located at

     http://www.coresecurity.com/common/showdoc.php?idx=313&idxseccion=10

   This  vulnerability affects Snort versions 1.8.x, 1.9.x, and 2.0 prior
   to  RC1. Snort has published an advisory regarding this vulnerability;
   it is available at

     http://www.snort.org/advisories/snort-2003-04-16-1.txt.

   VU#916785 - Buffer overflow in Snort RPC preprocessor (CAN-2003-0033)

   Researchers  at  Internet  Security  Systems  (ISS)  have discovered a
   remotely  exploitable  buffer  overflow  in the Snort RPC preprocessor
   module.  Martin  Roesch,  primary  developer  for Snort, described the
   vulnerability as follows:

     When the RPC decoder normalizes fragmented RPC records, it
     incorrectly checks the lengths of what is being normalized against
     the current packet size, leading to an overflow condition. The RPC
     preprocessor is enabled by default.

   For  additional  information,  please  read  the  ISS X-Force advisory
   located at

     http://www.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21951

   This  vulnerability  affects  Snort  versions  1.8.x through 1.9.1 and
   version 2.0 Beta.

II. Impact

   Both  VU#139129  and  VU#916785  allow  remote  attackers  to  execute
   arbitrary  code  with  the  privileges  of  the  user  running  Snort,
   typically  root.  In addition, it is not necessary for the attacker to
   know  the  IP  address of the Snort device they wish to attack; merely
   sending  malicious  traffic  where  it  can be observed by an affected
   Snort sensor is sufficient to exploit these vulnerabilities.

III. Solution

Upgrade to Snort 2.0

   Both VU#139129 and VU#916785 are addressed in Snort version 2.0, which
   is available at

     http://www.snort.org/dl/snort-2.0.0.tar.gz

   Binary-only versions of Snort are available from

     http://www.snort.org/dl/binaries

   For  information  from  other  vendors  that ship affected versions of
   Snort, please see Appendix A of this document.

Disable affected preprocessor modules

   Sites  that  are  unable to immediately upgrade affected Snort sensors
   may  prevent  exploitation of this vulnerability by commenting out the
   affected preprocessor modules in the "snort.conf" configuration file.

   To prevent exploitation of VU#139129, comment out the following line:

     preprocessor stream4_reassemble

   To prevent exploitation of VU#916785, comment out the following line:

     preprocessor rpc_decode: 111 32771

   After commenting out the affected modules, send a SIGHUP signal to the
   affected   Snort  process  to  update  the  configuration.  Note  that
   disabling these modules may have adverse affects on a sensor's ability
   to correctly process RPC record fragments and TCP packet fragments. In
   particular,  disabling  the "stream4" preprocessor module will prevent
   the Snort sensor from detecting a variety of IDS evasion attacks.

Block outbound packets from Snort IDS systems

   You  may  be  able  limit  an attacker's capabilities if the system is
   compromised  by  blocking  all outbound traffic from the Snort sensor.
   While   this   workaround   will   not  prevent  exploitation  of  the
   vulnerability,  it  may  make  it  more  difficult for the attacker to
   create a useful exploit.

Appendix A. - Vendor Information

   This  appendix  contains  information  provided  by  vendors  for this
   advisory.  As  vendors  report new information to the CERT/CC, we will
   update this section and note the changes in our revision history. If a
   particular  vendor  is  not  listed  below, we have not received their
   comments.

Apple Computer, Inc.

   Snort is not shipped with Mac OS X or Mac OS X Server.

Ingrian Networks

   Ingrian  Networks  products  are  not  susceptible  to  VU#139129  and
   VU#916785 since they do not use Snort.

   Ingrian  customers  who  are  using the IDS Extender Service Engine to
   mirror  cleartext  data  to a Snort-based IDS should upgrade their IDS
   software.

NetBSD

   NetBSD does not include snort in the base system.

   Snort  is  available from the 3rd party software system, pkgsrc. Users
   who  have  installed  net/snort,  net/snort-mysql  or  net/snort-pgsql
   should  update  to a fixed version. pkgsrc/security/audit-packages can
   be used to keep up to date with these types of issues.

Red Hat Inc.

   Not  vulnerable.  Red  Hat does not ship Snort in any of our supported
   products.

SGI

   SGI does not ship snort as part of IRIX.

Snort

   Snort  2.0 has undergone an external third party professional security
   audit funded by Sourcefire.
     _________________________________________________________________

   The  CERT/CC  acknowledges  Bruce Leidl, Juan Pablo Martinez Kuhn, and
   Alejandro David Weil of Core Security Technologies for their discovery
   of  VU#139129.  We  also  acknowledge  Mark Dowd and Neel Mehta of ISS
   X-Force for their discovery of VU#916785.
     _________________________________________________________________

   Authors: Jeffrey P. Lanza and Cory F. Cohen.
   ______________________________________________________________________

   This document is available from:
   http://www.cert.org/advisories/CA-2003-13.html
   ______________________________________________________________________

CERT/CC Contact Information

   Email: cert@cert.org
          Phone: +1 412-268-7090 (24-hour hotline)
          Fax: +1 412-268-6989
          Postal address:
          CERT Coordination Center
          Software Engineering Institute
          Carnegie Mellon University
          Pittsburgh PA 15213-3890
          U.S.A.

   CERT/CC   personnel   answer  the  hotline  08:00-17:00  EST(GMT-5)  /
   EDT(GMT-4)  Monday  through  Friday;  they are on call for emergencies
   during other hours, on U.S. holidays, and on weekends.

Using encryption

   We  strongly  urge you to encrypt sensitive information sent by email.
   Our public PGP key is available from
   http://www.cert.org/CERT_PGP.key

   If  you  prefer  to  use  DES,  please  call the CERT hotline for more
   information.

Getting security information

   CERT  publications  and  other security information are available from
   our web site
   http://www.cert.org/

   To  subscribe  to  the CERT mailing list for advisories and bulletins,
   send  email  to majordomo@cert.org. Please include in the body of your
   message

   subscribe cert-advisory

   *  "CERT"  and  "CERT  Coordination Center" are registered in the U.S.
   Patent and Trademark Office.
   ______________________________________________________________________

   NO WARRANTY
   Any  material furnished by Carnegie Mellon University and the Software
   Engineering  Institute  is  furnished  on  an  "as is" basis. Carnegie
   Mellon University makes no warranties of any kind, either expressed or
   implied  as  to  any matter including, but not limited to, warranty of
   fitness  for  a  particular purpose or merchantability, exclusivity or
   results  obtained from use of the material. Carnegie Mellon University
   does  not  make  any warranty of any kind with respect to freedom from
   patent, trademark, or copyright infringement.
     _________________________________________________________________

   Conditions for use, disclaimers, and sponsorship information

   Copyright 2003 Carnegie Mellon University.

   Revision History
April 17, 2003:  Initial release



TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH