TUCoPS :: Linux :: Apps A-M :: sb6037.htm

Buffer overflow in Snort RPC preprocessor
4th Mar 2003 [SBWID-6037]
COMMAND

	Buffer overflow in Snort RPC preprocessor

SYSTEMS AFFECTED

	Any version starting with version 1.8 to those  before  2003-03-03  1PM/
	US/Eastern including 1.9.0 and CVS HEAD (Snort 2.0beta)

PROBLEM

	Martin Roesch - Founder/CTO, Sourcefire Inc.  -  [roesch@sourcefire.com]
	[http://www.sourcefire.com],  says  in  Snort   Vulnerability   Advisory
	[SNORT-2003-001] :
	
	 http://www.snort.org
	
	A buffer  overflow  has  been  found  in  the  snort  RPC  normalization
	routines by ISS X-Force. This can cause snort to execute arbitrary  code
	embedded within sniffed network packets. This  preprocessor  is  enabled
	by default.
	
	Snort 1.9.1 has been released to resolve this  issue.  For  users  using
	CVS HEAD, a fix has been committed to the source tree.
	
	Details:
	
	When the rpc decoder normalizes fragmented RPC records,  it  incorrectly
	checks the lengths of what  is  being  normalized  against  the  current
	packet size.
	
	The rpc decoder in Snort 1.9.1 and  above  contains  new  alert  options
	that can be used to help detect this attack
	
	Option                    Default State
	
	alert_fragments           INACTIVE
	alert_large_fragments     ACTIVE
	alert_incomplete          ACTIVE
	alert_multiple_requests   ACTIVE
	
	
	The first option will alert on  any  rpc  fragmented  record  it  finds.
	Large fragments will alert when the  reassembled  fragment  record  will
	exceed the current packet length. The incomplete record will alert  when
	there is a partial record found. The alert_multiple_requests will  alert
	when we find more than one RPC  request  per  packet  (  or  reassembled
	packet ).

SOLUTION

	 Mitigation
	 ==========
	
	If you are in an environment that can  not  upgrade  snort  immediately,
	comment out the line in your snort.conf that begins:
	
	preprocessor rpc_decode
	
	and replace it with
	
	# preprocessor rpc_decode
	
	 Patch
	 =====
	
	Sourcefire has acquired additional bandwidth and hosting  to  aid  users
	wishing to upgrade their Snort implementation.  Binaries  are  currently
	not available, this is a source  release  only  at  this  time.  As  new
	binaries become available they will be added to the site.
	
	Source code: http://www.snort.org/dl/snort-1.9.1.tar.gz GPG  Signatures:
	http://www.snort.org/dl/snort-1.9.1.tar.gz.asc
	
	CVS HEAD (Snort 2.0beta)  has been fixed as well.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH