OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Re: [Snort-2003-001] Buffer overflow in Snort RPC preprocessor

From: Martin Roesch (roeschsourcefire.com)
Date: Tue Mar 04 2003 - 14:58:41 CST

http://www.snort.org/dl/binaries/win32/snort-1_9_1.exe

On Tuesday, March 4, 2003, at 12:12 AM, Geoff Craig wrote:

> Hello,
>
> Is there any time frame for when a complied Win32 .exe of 1.9.1 will
> become available? Or could someone point to steps for compiling the
> available 1.9.1 Win32 src?
>
> Thanks,
>
> -----Original Message-----
> From: Martin Roesch [mailto:roeschsourcefire.com]
> Sent: Mon 3/3/2003 5:53 PM
> To: focus-idssecurityfocus.com
> Cc:
> Subject: [Snort-2003-001] Buffer overflow in Snort RPC preprocessor
>
>
>
> Snort Vulnerability Advisory [SNORT-2003-001]
>
> Date: 2003-03-03
>
> Affected Snort Versions:
>
> Any version starting with version 1.8 to those before 2003-03-03 1PM/
> US/Eastern including 1.9.0 and CVS HEAD (Snort 2.0beta)
>
> Synopsis:
>
> A buffer overflow has been found in the snort RPC normalization
> routines by ISS X-Force. This can cause snort to execute arbitrary
> code embedded within sniffed network packets. This preprocessor is
> enabled by default.
>
> Snort 1.9.1 has been released to resolve this issue. For users using
> CVS HEAD, a fix has been committed to the source tree.
>
> Mitigation:
>
> If you are in an environment that can not upgrade snort immediately,
> comment out the line in your snort.conf that begins:
>
> preprocessor rpc_decode
>
> and replace it with
>
> # preprocessor rpc_decode
>
> Details:
>
> When the rpc decoder normalizes fragmented RPC records, it incorrectly
> checks the lengths of what is being normalized against the current
> packet size.
>
> The rpc decoder in Snort 1.9.1 and above contains new alert options
> that can be used to help detect this attack
>
> Option Default State
>
> alert_fragments INACTIVE
> alert_large_fragments ACTIVE
> alert_incomplete ACTIVE
> alert_multiple_requests ACTIVE
>
>
> The first option will alert on any rpc fragmented record it finds.
> Large fragments will alert when the reassembled fragment record will
> exceed the current packet length. The incomplete record will alert
> when there is a partial record found. The alert_multiple_requests
> will
> alert when we find more than one RPC request per packet ( or
> reassembled packet ).
>
> Download Locations:
>
> Sourcefire has acquired additional bandwidth and hosting to aid users
> wishing to upgrade their Snort implementation. Binaries are currently
> not available, this is a source release only at this time. As new
> binaries become available they will be added to the site.
>
> Source code: http://www.snort.org/dl/snort-1.9.1.tar.gz
> GPG Signatures: http://www.snort.org/dl/snort-1.9.1.tar.gz.asc
>
> CVS HEAD (Snort 2.0beta) has been fixed as well.
>
>
> --
> Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
> Sourcefire: Snort-based Enterprise Intrusion Detection Infrastructure
> roeschsourcefire.com - http://www.sourcefire.com
> Snort: Open Source Network IDS - http://www.snort.org
>
>
> -----------------------------------------------------------
> <Pre>Lose another weekend managing your IDS?
> Take back your personal time.
> 15-day free trial of StillSecure Border Guard.</Pre>
> <A href="http://www.securityfocus.com/stillsecure">
> http://www.securityfocus.com/stillsecure </A>
>
>
>
>
--
Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
Sourcefire: Snort-based Enterprise Intrusion Detection Infrastructure
roeschsourcefire.com - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org

-----------------------------------------------------------
<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>