Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security VulnWatch
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[VulnWatch] back orifice and snort - two words not to be used together

from [Chris Wysopal] Network Security [Permanent Link]
Subject: [VulnWatch] back orifice and snort - two words not to be used together
Date: Tue, 18 Oct 2005 17:05:41 -0500 (EST) 


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


                      National Cyber Alert System

                Technical Cyber Security Alert TA05-291A


Snort Back Orifice Preprocessor Buffer Overflow

    Original release date: October 18, 2005
    Last revised: --
    Source: US-CERT


Systems Affected

      * Snort versions 2.4.0 to 2.4.2
      * Sourcefire Intrusion Sensors

    Other products that use Snort or Snort components may be affected.


Overview

    The Snort Back Orifice preprocessor contains a buffer overflow that
    could allow a remote attacker to execute arbitrary code on a
    vulnerable system.


I. Description

    Snort is a widely-deployed, open-source network intrusion detection
    system (IDS). Snort and its components are used in other IDS
    products, notably Sourcefire Intrusion Sensors, and Snort is
    included with a number of operating system distributions.

    Snort preprocessors are modular plugins that extend functionality
    by operating on packets before the detection engine is run. The
    Back Orifice preprocessor decodes packets to determine if they
    contain Back Orifice ping messages. The ping detection code does
    not adequately limit the amount of data that is read from the
    packet into a fixed-length buffer, thus creating the potential for
    a buffer overflow.

    The vulnerable code will process any UDP packet that is not
    destined to or sourced from the default Back Orifice port
    (31337/udp). An attacker could exploit this vulnerability by
    sending a specially crafted UDP packet to a host or network
    monitored by Snort.

    US-CERT is tracking this vulnerability as VU#175500. Further
    information is available in an advisory from Internet Security
    Systems (ISS).


II. Impact

    A remote attacker who can send UDP packets to a Snort sensor may be
    able to execute arbitrary code. Snort typically runs with root or
    SYSTEM privileges, so an attacker could take complete control of a
    vulnerable system. An attacker does not need to target a Snort
    sensor directly; the attacker can target any host or network
    monitored by Snort.


III. Solution

Upgrade

    Sourcefire has released Snort 2.4.3 which is available from the
    Snort download site. For information about other vendors, please
    see the Systems Affected section of VU#175500.

Disable Back Orifice Preprocessor

    To disable the Back Orifice preprocessor, comment out the line that
    loads the preprocessor in the Snort configuration file (typically
    /etc/snort.conf on UNIX and Linux systems):

      [/etc/snort.conf]
      ...
      #preprocessor bo
      ...

    Restart Snort for the change to take effect.

Restrict Outbound Traffic

    Consider preventing Snort sensors from initiating outbound
    connections and restricting outbound traffic to only those hosts
    and networks that have legitimate requirements to communicate with
    the sensors. While this will not prevent exploitation of the
    vulnerability, it may make it more difficult for an attacker to
    access a compromised system or reconnoiter other systems.


Appendix A. References

      * US-CERT Vulnerability Note VU#175500 -
        <http://www.kb.cert.org/vuls/id/177500>

      * Fixes and Mitigation Instructions Available for Snort Back
        Orifice Vulnerability -
        <http://www.snort.org/pub-bin/snortnews.cgi#99>

      * Snort downloads - <http://www.snort.org/dl/>

      * Snort 2.4.3 Changelog -
        <http://www.snort.org/docs/change_logs/2.4.3/Changelog.txt>

      * Preprocessors -
        <http://www.snort.org/docs/snort_htmanuals/htmanual_2.4/
        node11.html#SECTION00310000000000000000>

      * Snort Back Orifice Parsing Remote Code Execution -
        <http://xforce.iss.net/xforce/alerts/id/207>


  ____________________________________________________________________

    This vulnerability was researched and reported by Internet Security
    Systems (ISS).
  ____________________________________________________________________

    The most recent version of this document can be found at:

      <http://www.us-cert.gov/cas/techalerts/TA05-291A.html>
  ____________________________________________________________________

    Feedback can be directed to US-CERT Technical Staff. Please send
    email to <cert@cert.org> with "TA05-291A Feedback VU#175500" in the
    subject.
  ____________________________________________________________________

    For instructions on subscribing to or unsubscribing from this
    mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
  ____________________________________________________________________

    Produced 2005 by US-CERT, a government organization.

    Terms of use:

      <http://www.us-cert.gov/legal.html>
  ____________________________________________________________________


Revision History

    Oct 18, 2005: Initial release


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBQ1VB130pj593lg50AQLY6wf+Kq/rI3wxG4rGr+OdVrpl3v+TfTMp6MX3
T0e99ybRSGKeWQCleMQYdBYrS+7UyCa28T1yE8ENe4SuYLPj7ttTqpd0AGxn7f8H
+qOY0GnJwXvrWlKCfVtAhjo5JFDxgZQV9P/13MwjcsJrGTtHzhuJ8YZc4RtSMyVX
4nf2s4Nymjd2+jIEX9BnwRIe/E47TRdFLSsza36mhKZLZV1lxLdJYywCZSsQLWNM
nL9gohRojR/6wQk8sLjef8LCv2JFu3btsqrrblcTWqfB6GhVR9OSUBhL+b8P/mme
jVd9eE0OS5v8rzhaEMiYIMI+pEZEpATj4BnVoLwPkLAoD6ObGJKHkQ==
=jjID
-----END PGP SIGNATURE-----
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [VulnWatch] back orifice and snort - two words not to be used together, Chris Wysopal <=
Previous by Date:  [Full-disclosure] flexbackup default config insecure temporary file creation, ZATAZ Audits
Next by Date:  [Full-disclosure] iDEFENSE Security Advisory 10.20.05: Multiple Vendor Ethereal srvloc Buffer Overflow Vulnerability, iDEFENSE Labs
Previous by Thread:  [Full-disclosure] flexbackup default config insecure temporary file creation, ZATAZ Audits
Next by Thread:  [Full-disclosure] iDEFENSE Security Advisory 10.20.05: Multiple Vendor Ethereal srvloc Buffer Overflow Vulnerability, iDEFENSE Labs
Indexes:  [Date] [Thread] [Top] [All Lists]