CERT/CC Vulnerability Note VU#916785

Overview

There is a buffer overflow vulnerability in the RPC preprocessing feature of Snort versions 1.8 through 1.9.0 and 2.0 beta.

Description

Martin Roesch, the primary Snort developer, described the vulnerability by saying:

When the RPC decoder normalizes fragmented RPC records, it incorrectly checks the lengths of what is being normalized against the current packet size, leading to an overflow condition. The RPC preprocessor is enabled by default.

The ISS X-Force team has published an advisory with additional information on this issue:

http://www.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21951

Information about this vulnerability can also be found on the Snort web site at:

http://www.snort.org/

Impact

A remote attacker can execute arbitrary code as the user running the Snort process, usually root. The attacker does not need to send packets directly to the Snort sensor. It is sufficient to send packets to any of the hosts on the network monitored by Snort.

Solution

Upgrade to Snort version 1.9.1

Upgrade to Snort version 1.9.1 to correct this vulnerability. This version of snort is available at:

http://www.snort.org/dl/snort-1.9.1.tar.gz

Disable the rpc_decode preprocessor

You can prevent exploitation of this vulnerability by commenting out the rpc_decode preprocessor in the "snort.conf" configuration file. Note that this change may affect your ability to correctly process RPC record fragments.

Block outbound packets from Snort IDS systems

You may be able limit an attacker's capabilities if the system is compromised by blocking all outbound traffic from the Snort sensor. While this workaround will not prevent exploitation of the vulnerability, it may make it more difficult for the attacker to create a useful exploit.

Vendor Information

916785

Filter by status:

Filter by content: Additional information available

Sort by:

Expand all

Conectiva Affected

Debian Affected

Gentoo Linux Affected

Notified: March 06, 2003 Updated: May 19, 2003

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

- - - --------------------------------------------------------------------- GENTOO LINUX SECURITY ANNOUNCEMENT 200304-06 - - - ---------------------------------------------------------------------
PACKAGE : snort SUMMARY : Multiple Vulnerabilities in Snort Preprocessors
DATE : 2003-04-28 07:07 UTC EXPLOIT : remote
VERSIONS AFFECTED : <snort-2.0.0 FIXED VERSION : >=snort-2.0.0
CVE : CAN-2003-0209 CAN-2003-0033
- - - ---------------------------------------------------------------------
New (and correct) ID and updated CVE link.
- - From advisories:
"The Sourcefire Vulnerability Research Team has learned of an integer overflow in the Snort stream4 preprocessor used by the Sourcefire Network Sensor product line. The Snort stream4 preprocessor (spp_stream4) incorrectly calculates segment size parameters during stream reassembly for certain sequence number ranges which can lead to an integer overflow that can be expanded to a heap overflow.
The Snort stream4 flaw may lead to a denial of service (DoS) attack or remote command execution on a host running Snort. This attack can be launched by crafting TCP stream packets and transmitting them over a network segment that is being monitored by a vulnerable Snort implementation. In its default configuration, certain versions of snort are vulnerable to this attack, as is the default configuration of the Snort IDS."
"Remote attackers may exploit the buffer overflow condition to run arbitrary code on a Snort sensor with the privileges of the Snort IDS process, which typically runs as the superuser. The vulnerable preprocessor is enabled by default. It is not necessary to establish an actual connection to a RPC portmapper service to exploit this vulnerability."
Read the full advisories at: http://www.coresecurity.com/common/showdoc.php?idx=313&idxseccion=10 http://www.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21951 http://www.snort.org/advisories/snort-2003-04-16-1.txt
SOLUTION
It is recommended that all Gentoo Linux users who are running net-analyzer/snort upgrade to snort-2.0.0 as follows:
emerge sync emerge snort emerge clean
- - - --------------------------------------------------------------------- aliz@gentoo.org - GnuPG key is available at http://cvs.gentoo.org/~aliz - - - --------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQE+rNNLfT7nyhUpoZMRAk3cAJ41kN/5iZoa3IOtmoTwP+E7JRZZdACdFiE6 c8JLrnnQbuVE2ASytyK0N48= =V4iq -----END PGP SIGNATURE-----

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Guardian Digital Inc. Affected

MandrakeSoft Affected

SmoothWall Affected

Snort Affected

Notified: February 28, 2003 Updated: April 17, 2003

Status

Affected

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

Snort Vulnerability Advisory [SNORT-2003-001]
Date: 2003-03-03
Affected Snort Versions:
Any version starting with version 1.8 to those before 2003-03-03 1PM/ US/Eastern including 1.9.0 and CVS HEAD (Snort 2.0beta)
Synopsis:
A buffer overflow has been found in the snort RPC normalization routines by ISS X-Force. This can cause snort to execute arbitrary code embedded within sniffed network packets. This preprocessor is enabled by default.
Snort 1.9.1 has been released to resolve this issue. For users using CVS HEAD, a fix has been committed to the source tree.
Mitigation:
If you are in an environment that can not upgrade snort immediately, comment out the line in your snort.conf that begins:
preprocessor rpc_decode
and replace it with
# preprocessor rpc_decode
Details:
When the rpc decoder normalizes fragmented RPC records, it incorrectly checks the lengths of what is being normalized against the current packet size.
The rpc decoder in Snort 1.9.1 and above contains new alert options that can be used to help detect this attack
Option Default State
alert_fragments INACTIVE alert_large_fragments ACTIVE alert_incomplete ACTIVE alert_multiple_requests ACTIVE

The first option will alert on any rpc fragmented record it finds. Large fragments will alert when the reassembled fragment record will exceed the current packet length. The incomplete record will alert when there is a partial record found. The alert_multiple_requests will alert when we find more than one RPC request per packet ( or reassembled packet ).
Download Locations:
Sourcefire has acquired additional bandwidth and hosting to aid users wishing to upgrade their Snort implementation. Binaries are currently not available, this is a source release only at this time. As new binaries become available they will be added to the site.
Source code: http://www.snort.org/dl/snort-1.9.1.tar.gz GPG Signatures: http://www.snort.org/dl/snort-1.9.1.tar.gz.asc
CVS HEAD (Snort 2.0beta) has been fixed as well.
- -- Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616 Sourcefire: Snort-based Enterprise Intrusion Detection Infrastructure roesch@sourcefire.com - http://www.sourcefire.com Snort: Open Source Network IDS - http://www.snort.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (Darwin)
iD8DBQE+Y5gfqj0FAQQ3KOARAkENAJ0Zf0tGT/BilYA32bIuQF0Te/A2bgCfWRu2 OoXy1dQb8B/1/AEbTDqjxSA= =NQ8d -----END PGP SIGNATURE-----

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

An updated version of Snort (1.9.1) is available from:

http://www.snort.org/dl/snort-1.9.1.tar.gz

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Apple Computer Inc. Not Affected

Fujitsu Not Affected

Ingrian Networks Not Affected

NetBSD Not Affected

Red Hat Inc. Not Affected

SGI Not Affected

BSDI Unknown

Cray Inc. Unknown

Data General Unknown

FreeBSD Unknown

Hewlett-Packard Company Unknown

IBM Unknown

MontaVista Software Unknown

NEC Corporation Unknown

Nokia Unknown

OpenBSD Unknown

Openwall GNU/*/Linux Unknown

Sequent Unknown

Sony Corporation Unknown

SuSE Inc. Unknown

Sun Microsystems Inc. Unknown

The SCO Group (SCO Linux) Unknown

The SCO Group (SCO UnixWare) Unknown

Unisys Unknown

Wind River Systems Inc. Unknown

Wirex Unknown

View all 33 vendors View less vendors

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

Acknowledgements

Thanks to ISS X-Force for discovering this vulnerability, and to Martin Roesch for his assistance in developing this document.

This document was written by Cory F. Cohen.

Other Information

CVE IDs:	CVE-2003-0033
CERT Advisory:	CA-2003-13
Severity Metric:	6.41
Date Public:	2003-03-03
Date First Published:	2003-03-03
Date Last Updated:	2003-05-20 01:02 UTC
Document Revision:	21

Software Engineering Institute

CERT Coordination Center

Buffer overflow in Snort RPC preprocessor

Vulnerability Note VU#916785

Overview

Description

Impact

Solution

Vendor Information

Conectiva Affected

Debian Affected

Gentoo Linux Affected

Guardian Digital Inc. Affected

MandrakeSoft Affected

SmoothWall Affected

Snort Affected

Apple Computer Inc. Not Affected

Fujitsu Not Affected

Ingrian Networks Not Affected

NetBSD Not Affected

Red Hat Inc. Not Affected

SGI Not Affected

BSDI Unknown

Cray Inc. Unknown

Data General Unknown

FreeBSD Unknown

Hewlett-Packard Company Unknown

IBM Unknown

MontaVista Software Unknown

NEC Corporation Unknown

Nokia Unknown

OpenBSD Unknown

Openwall GNU/*/Linux Unknown

Sequent Unknown

Sony Corporation Unknown

SuSE Inc. Unknown

Sun Microsystems Inc. Unknown

The SCO Group (SCO Linux) Unknown