[Pluto-security]
Fwd: [Snort-2003-001] Buffer overflow in Snort RPC
preprocessor (fwd)
Tom 'Dido' Di Donato
dido at sicurweb.com
Tue Mar 4 11:16:28 CET 2003
Relata refero...
>---------- Forwarded message ----------
>
>
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>Snort Vulnerability Advisory [SNORT-2003-001]
>
>Date: 2003-03-03
>
>Affected Snort Versions:
>
>Any version starting with version 1.8 to those before 2003-03-03 1PM/
>US/Eastern including 1.9.0 and CVS HEAD (Snort 2.0beta)
>
>Synopsis:
>
>A buffer overflow has been found in the snort RPC normalization
>routines by ISS X-Force. This can cause snort to execute arbitrary
>code embedded within sniffed network packets. This preprocessor is
>enabled by default.
>
>Snort 1.9.1 has been released to resolve this issue. For users using
>CVS HEAD, a fix has been committed to the source tree.
>
>Mitigation:
>
>If you are in an environment that can not upgrade snort immediately,
>comment out the line in your snort.conf that begins:
>
>preprocessor rpc_decode
>
>and replace it with
>
># preprocessor rpc_decode
>
>Details:
>
>When the rpc decoder normalizes fragmented RPC records, it incorrectly
>checks the lengths of what is being normalized against the current
>packet size.
>
>The rpc decoder in Snort 1.9.1 and above contains new alert options
>that can be used to help detect this attack
>
>Option Default State
>
>alert_fragments INACTIVE
>alert_large_fragments ACTIVE
>alert_incomplete ACTIVE
>alert_multiple_requests ACTIVE
>
>
>The first option will alert on any rpc fragmented record it finds.
>Large fragments will alert when the reassembled fragment record will
>exceed the current packet length. The incomplete record will alert
>when there is a partial record found. The alert_multiple_requests will
>alert when we find more than one RPC request per packet ( or
>reassembled packet ).
>
>Download Locations:
>
>Sourcefire has acquired additional bandwidth and hosting to aid users
>wishing to upgrade their Snort implementation. Binaries are currently
>not available, this is a source release only at this time. As new
>binaries become available they will be added to the site.
>
>Source code: http://www.snort.org/dl/snort-1.9.1.tar.gz
>GPG Signatures: http://www.snort.org/dl/snort-1.9.1.tar.gz.asc
>
>CVS HEAD (Snort 2.0beta) has been fixed as well.
More information about the pluto-security
mailing list