RE: [Snort-2003-001] Buffer overflow in Snort RPC p reprocessor

["Slighter, Tim" <tslighter () itc nrcs usda gov>]

One thing for sure i can understand is that regardless of stealth or not, if
running the RPC decode, this exploit could potentially crash snort or wreak
some havoc on the decoder.  

As for system compromise, whole different story

-----Original Message-----
From: Bennett Todd [mailto:bet () rahul net]
Sent: Monday, March 03, 2003 2:18 PM
To: Slighter, Tim
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] [Snort-2003-001] Buffer overflow in Snort RPC
p reprocessor


2003-03-03T15:12:04 Slighter, Tim:
> Should it - or could it be specified that users running snort on a
> stealth interface would not be impacted?

Nope. If you're running snort on a stealth interface you can still
be hit, the bug is a buffer overflow in the rpc_decode preprocessor;
someone fires the right packets over snort's bow and down she goes.
In theory this may or may not (I don't know) be exploitable to allow
running arbitrary code.

If you're running on a stealthy interface, the exploit code may not
be able to establish a connection back to the attacker; hence they
may be forced to encode their entire attack in the actual
buffer-overflowing initial break.

Snort should be run as a non-priv user, which will further mitigate
problems.

Snort can be run chrooted, if you're doing that problems are more
confined still.

But the real response should be, #-out preprocessor rpc_decode until
you upgrade to 1.9.1.

-Bennett


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users