ynotssor
19-10-2005, 10:09 AM
> Snort Back Orifice Preprocessor Buffer Overflow
> Original release date: October 18, 2005
> Last revised: --
> Source: US-CERT
>
> Systems Affected
> * Snort versions 2.4.0 to 2.4.2
> * Sourcefire Intrusion Sensors
> Other products that use Snort or Snort components may be affected.
>
> Overview
> The Snort Back Orifice preprocessor contains a buffer overflow that
> could allow a remote attacker to execute arbitrary code on a
> vulnerable system.
>
> I. Description
> Snort is a widely-deployed, open-source network intrusion detection
> system (IDS). Snort and its components are used in other IDS
> products, notably Sourcefire Intrusion Sensors, and Snort is
> included with a number of operating system distributions.
> Snort preprocessors are modular plugins that extend functionality
> by operating on packets before the detection engine is run. The
> Back Orifice preprocessor decodes packets to determine if they
> contain Back Orifice ping messages. The ping detection code does
> not adequately limit the amount of data that is read from the
> packet into a fixed-length buffer, thus creating the potential for
> a buffer overflow.
> The vulnerable code will process any UDP packet that is not
> destined to or sourced from the default Back Orifice port
> (31337/udp). An attacker could exploit this vulnerability by
> sending a specially crafted UDP packet to a host or network
> monitored by Snort.
> US-CERT is tracking this vulnerability as VU#175500. Further
> information is available in an advisory from Internet Security
> Systems (ISS).
>
> II. Impact
> A remote attacker who can send UDP packets to a Snort sensor may be
> able to execute arbitrary code. Snort typically runs with root or
> SYSTEM privileges, so an attacker could take complete control of a
> vulnerable system. An attacker does not need to target a Snort
> sensor directly; the attacker can target any host or network
> monitored by Snort.
>
> III. Solution
> Upgrade
> Sourcefire has released Snort 2.4.3 which is available from the
> Snort download site. For information about other vendors, please
> see the Systems Affected section of VU#175500.
> Disable Back Orifice Preprocessor
> To disable the Back Orifice preprocessor, comment out the line that
> loads the preprocessor in the Snort configuration file (typically
> /etc/snort.conf on UNIX and Linux systems):
> [/etc/snort.conf]
> ...
> #preprocessor bo
> ...
>
> Restart Snort for the change to take effect.
> Restrict Outbound Traffic
> Consider preventing Snort sensors from initiating outbound
> connections and restricting outbound traffic to only those hosts
> and networks that have legitimate requirements to communicate with
> the sensors. While this will not prevent exploitation of the
> vulnerability, it may make it more difficult for an attacker to
> access a compromised system or reconnoiter other systems.
>
> Appendix A. References
> * US-CERT Vulnerability Note VU#175500 -
> <http://www.kb.cert.org/vuls/id/177500>
> * Fixes and Mitigation Instructions Available for Snort Back
> Orifice Vulnerability -
> <http://www.snort.org/pub-bin/snortnews.cgi#99>
> * Snort downloads - <http://www.snort.org/dl/>
> * Snort 2.4.3 Changelog -
> <http://www.snort.org/docs/change_logs/2.4.3/Changelog.txt>
> * Preprocessors -
> <http://www.snort.org/docs/snort_htmanuals/htmanual_2.4/
> node11.html#SECTION00310000000000000000>
> * Snort Back Orifice Parsing Remote Code Execution -
> <http://xforce.iss.net/xforce/alerts/id/207>
>
> __________________________________________________ __________________
> This vulnerability was researched and reported by Internet Security
> Systems (ISS).
> __________________________________________________ __________________
> The most recent version of this document can be found at:
> <http://www.us-cert.gov/cas/techalerts/TA05-291A.html>
> __________________________________________________ __________________
> Feedback can be directed to US-CERT Technical Staff. Please send
> email to <cert@cert.org> with "TA05-291A Feedback VU#175500" in the
> subject.
> __________________________________________________ __________________
> For instructions on subscribing to or unsubscribing from this
> mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
> __________________________________________________ __________________
> Produced 2005 by US-CERT, a government organization.
> Terms of use:
> <http://www.us-cert.gov/legal.html>
> __________________________________________________ __________________
>
> Revision History
> Oct 18, 2005: Initial release
> Subj: US-CERT Technical Cyber Security Alert TA05-291A -- Snort Back
> Orifice Preprocessor Buffer Overflow Date: Tuesday, October 18, 2005
> 11:52 AM
> From: technical-alerts@us-cert.gov
----------------------------------------------------------------
> Original release date: October 18, 2005
> Last revised: --
> Source: US-CERT
>
> Systems Affected
> * Snort versions 2.4.0 to 2.4.2
> * Sourcefire Intrusion Sensors
> Other products that use Snort or Snort components may be affected.
>
> Overview
> The Snort Back Orifice preprocessor contains a buffer overflow that
> could allow a remote attacker to execute arbitrary code on a
> vulnerable system.
>
> I. Description
> Snort is a widely-deployed, open-source network intrusion detection
> system (IDS). Snort and its components are used in other IDS
> products, notably Sourcefire Intrusion Sensors, and Snort is
> included with a number of operating system distributions.
> Snort preprocessors are modular plugins that extend functionality
> by operating on packets before the detection engine is run. The
> Back Orifice preprocessor decodes packets to determine if they
> contain Back Orifice ping messages. The ping detection code does
> not adequately limit the amount of data that is read from the
> packet into a fixed-length buffer, thus creating the potential for
> a buffer overflow.
> The vulnerable code will process any UDP packet that is not
> destined to or sourced from the default Back Orifice port
> (31337/udp). An attacker could exploit this vulnerability by
> sending a specially crafted UDP packet to a host or network
> monitored by Snort.
> US-CERT is tracking this vulnerability as VU#175500. Further
> information is available in an advisory from Internet Security
> Systems (ISS).
>
> II. Impact
> A remote attacker who can send UDP packets to a Snort sensor may be
> able to execute arbitrary code. Snort typically runs with root or
> SYSTEM privileges, so an attacker could take complete control of a
> vulnerable system. An attacker does not need to target a Snort
> sensor directly; the attacker can target any host or network
> monitored by Snort.
>
> III. Solution
> Upgrade
> Sourcefire has released Snort 2.4.3 which is available from the
> Snort download site. For information about other vendors, please
> see the Systems Affected section of VU#175500.
> Disable Back Orifice Preprocessor
> To disable the Back Orifice preprocessor, comment out the line that
> loads the preprocessor in the Snort configuration file (typically
> /etc/snort.conf on UNIX and Linux systems):
> [/etc/snort.conf]
> ...
> #preprocessor bo
> ...
>
> Restart Snort for the change to take effect.
> Restrict Outbound Traffic
> Consider preventing Snort sensors from initiating outbound
> connections and restricting outbound traffic to only those hosts
> and networks that have legitimate requirements to communicate with
> the sensors. While this will not prevent exploitation of the
> vulnerability, it may make it more difficult for an attacker to
> access a compromised system or reconnoiter other systems.
>
> Appendix A. References
> * US-CERT Vulnerability Note VU#175500 -
> <http://www.kb.cert.org/vuls/id/177500>
> * Fixes and Mitigation Instructions Available for Snort Back
> Orifice Vulnerability -
> <http://www.snort.org/pub-bin/snortnews.cgi#99>
> * Snort downloads - <http://www.snort.org/dl/>
> * Snort 2.4.3 Changelog -
> <http://www.snort.org/docs/change_logs/2.4.3/Changelog.txt>
> * Preprocessors -
> <http://www.snort.org/docs/snort_htmanuals/htmanual_2.4/
> node11.html#SECTION00310000000000000000>
> * Snort Back Orifice Parsing Remote Code Execution -
> <http://xforce.iss.net/xforce/alerts/id/207>
>
> __________________________________________________ __________________
> This vulnerability was researched and reported by Internet Security
> Systems (ISS).
> __________________________________________________ __________________
> The most recent version of this document can be found at:
> <http://www.us-cert.gov/cas/techalerts/TA05-291A.html>
> __________________________________________________ __________________
> Feedback can be directed to US-CERT Technical Staff. Please send
> email to <cert@cert.org> with "TA05-291A Feedback VU#175500" in the
> subject.
> __________________________________________________ __________________
> For instructions on subscribing to or unsubscribing from this
> mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
> __________________________________________________ __________________
> Produced 2005 by US-CERT, a government organization.
> Terms of use:
> <http://www.us-cert.gov/legal.html>
> __________________________________________________ __________________
>
> Revision History
> Oct 18, 2005: Initial release
> Subj: US-CERT Technical Cyber Security Alert TA05-291A -- Snort Back
> Orifice Preprocessor Buffer Overflow Date: Tuesday, October 18, 2005
> 11:52 AM
> From: technical-alerts@us-cert.gov
----------------------------------------------------------------