February 20th, 2007

Remote code execution hole in Snort

Posted by Ryan Naraine @ 6:37 am

Categories: Data theft, Exploit code, Hackers, Open source, Patch Watch, Pen testing, Responsible disclosure, Vulnerability research, Zero-day attacks

Tags: Snort, Ryan Naraine

A stack-based buffer overflow in the Snort IDS (intrusion detection system) could leave government and enterprise installations vulnerable to remote unauthenticated code execution attacks.

The flaw, found by researchers at IBM’s ISS X-Force, affects the Snort DCE/RPC preprocessor and could be used to execute code with the same privileges (usually root or SYSTEM) as the Snort binary. The Snort DCE/RPC is enabled by default to handle dynamic detection of SMB traffic.

Exploitation of this vulnerability does not require user interaction, according to the ISS X-Force alert.

Snort versions affected: Snort 2.6.1, 2.6.1.1, 2.6.1.2 and Snort 2.7.0 beta 1.

Sourcefire, the company that owns and maintains Snort, is strongly urging users to upgrade immediately to Snort version 2.6.1.3. Snort 2.7 beta users are can temporarily mitigate this issue by disabling the DCE/RPC preprocessor.

A vulnerability note from the U.S. CERT explains the severity of the risk:

An attacker does not have to complete a full TCP connection to exploit this vulnerability. This vulnerability is in a dynamic-preprocessor enabled in the default configuration, and the configuration for this preprocessor allows for auto-recognition of SMB traffic to perform reassembly on. No checks are performed to see if the traffic is part of a valid TCP session, and multiple Write AndX requests can be chained in the same TCP segment. As a result, an attacker can exploit this overflow with a single TCP PDU sent across a network monitored by Snort or Sourcefire.