Remote Code Execution Hole Found In Snort 95
Palljon1123 writes "A stack-based buffer overflow in the Snort intrusion detection system could leave government and enterprise installations vulnerable to remote unauthenticated code execution attacks. The flaw, found by researchers at IBM's ISS X-Force, affects the Snort DCE/RPC preprocessor and could be used to execute code with the same privileges (usually root or SYSTEM) as the Snort binary. No user action is required." Sourcefire has an update to fix the vulnerability in versions 2.6.1, 2.6.1.1, and 2.6.1.2; Heise Security spells out the workaround for the 2.7.0 beta version.
The very definition of irony (Score:3, Insightful)
Re:The very definition of irony (Score:1, Insightful)
Remote, what about stealth installations (Score:4, Insightful)
Why this vulnerability? (Score:4, Insightful)
Re:Remote, what about stealth installations (Score:1, Insightful)
Shellcode for a backdoor is the classic example but any small amount of bootstrap code could execute.
On an unrelated note: This exploit shows a weakness in the default Linux/UNIX security model: SNORT basically has to run as root in order to listen to raw traffic (and that is probably a good thing too). However when it does so, the rest of the program also runs with root privileges, including complex and bug-prone things like protocol analyzers (like the RPC analyzer).
There are some solutions for this, snort could be re-coded using privilege separation similar to openSSH, but that would probably be too slow for a program like snort (the speed is not much of an issue for SSH).
Alternatively, something like SELinux could contain the snort process to put it into a restricted domain where even having root privileges would not allow snort to execute other programs, open non-typed files (like shadow) or to make syscalls for opening sockets/getting IP addresses. Main problem with SELinux: Not always easy to use. The good news: Usually people running snort for real should know it. Issue: How many Linux based installs of snort are actually protected in any real way????
Re:Remote, what about stealth installations (Score:3, Insightful)
From snort 2.6:
That could be very helpful if the group is nobody or another group not allowed to mess with the rest of the system. Once again, it has to be used properly though.
Re:Remote, what about stealth installations (Score:2, Insightful)
Re:Remote, what about stealth installations (Score:1, Insightful)
A chroot jail is good, but unless I'm mistaken it only cuts off access to the global file namespace. The rooted process can still make system and network calls that could do quite a bit for an attacker, although taking over the whole machine would still require the ability to effectively escape from the chroot jail.
Re:Why this vulnerability? (Score:3, Insightful)
Re:Silly Hackers (Score:5, Insightful)
Every company large enough to need a Security team (you know, the companies with the most money) is going to be running Linux. Nearly all the best infosec tools are Linux apps. I know you are likely going for Colbert-esque humor here, but the fact is that companies that run Snort on Linux probably have much MORE money to steal, on average, than companies that do not.
Re:Remote, what about stealth installations (Score:3, Insightful)
Re:Now can we stop using C, please? (Score:1, Insightful)