Remote Code Execution Hole Found In Snort 95
Palljon1123 writes "A stack-based buffer overflow in the Snort intrusion detection system could leave government and enterprise installations vulnerable to remote unauthenticated code execution attacks. The flaw, found by researchers at IBM's ISS X-Force, affects the Snort DCE/RPC preprocessor and could be used to execute code with the same privileges (usually root or SYSTEM) as the Snort binary. No user action is required." Sourcefire has an update to fix the vulnerability in versions 2.6.1, 2.6.1.1, and 2.6.1.2; Heise Security spells out the workaround for the 2.7.0 beta version.
SANS (Score:4, Informative)
Re:The very definition of irony (Score:4, Informative)
Disable the dce/rpc preprocessor (Score:3, Informative)
There are some instances where this should be running such as internal traffic monitoring, but I don't see how this can hit people from the internet with fragmented RPC traffic unless they're allowing it at the firewall.
Also, don't run any network service as root. FC6 install of snort does run as root by default, kinda lame.
-u username -g groupname arguments in the init script when starting the daemon will make it run as username:groupname credentials. nobody:nogroup maybe. Consider also chroot jail.
Old tips http://isc.sans.org/diary.html?date=2005-10-18 [sans.org]
Completely unnecessary (Score:5, Informative)
(and no, the error isn't there, it's just the first thing I came across in the snort source)
Why are they even using C? Suprise, they make exploitable buffer overflow attacks! And they still have one verified, non-fixed issue detected by coverity, plus 33 "uninspected and pending" according to coverity's scan [coverity.com].
int CheckRule(char *str)
{
int len;
int got_paren = 0;
int got_semi = 0;
char *index;
len = strlen(str);
index = str + len - 1;
while((isspace((int)*index)))
{
if(index > str)
index--;
else
return 0;
}
if(*index == ')')
{
got_paren = 1;
index--;
}
while((isspace((int)*index)))
{
if(index > str)
index--;
else
return 0;
}
if(*index == ';')
Re:Remote, what about stealth installations (Score:4, Informative)
There are a few problems with passive taps...
1. They *don't* work with gigabit ethernet. If I remember the spec for gigabit ethernet correctly, this has something to do with the fact all of the wire pairs are used for XMIT and RECV.
2. The passive tap in the link you provided isn't exactly good for your network. This tap will still draw current as well as introduce some interference. In the worst case, you can blow a NIC with one of these. Of course, the easiest way around these problems is to use a hub (do not use a network switch as that won't work... you need a HUB).
3. You will need to run 2 NICs (1 for XMIT, 1 for RECV) in order to examine full duplex traffic. This may be an issue if you are trying to run snort on an embedded device.
If I had the option, I would rather run a spare computer as a Linux (or BSD based for that matter) firewall box and use port mirroring to mirror ethernet traffic over IEEE1394 (firewire) to another box running snort. The only downside is that ethernet over firewire is at best a 400 megabit connection.
Re:Remote, what about stealth installations (Score:1, Informative)
2. WTF? A switch will work just fine unless it's a POS.
3. Still don't know what you're talking about. Is this just a snort thing? Why would you need to transmit from a passive sniffer? It's freakin' passive.