Snort mailing list archives
RE: [Snort-2003-001] Buffer overflow in Snort RPC p reprocessor
From: "Slighter, Tim" <tslighter () itc nrcs usda gov>
Date: Mon, 3 Mar 2003 14:25:38 -0700
One thing for sure i can understand is that regardless of stealth or not, if running the RPC decode, this exploit could potentially crash snort or wreak some havoc on the decoder. As for system compromise, whole different story -----Original Message----- From: Bennett Todd [mailto:bet () rahul net] Sent: Monday, March 03, 2003 2:18 PM To: Slighter, Tim Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] [Snort-2003-001] Buffer overflow in Snort RPC p reprocessor 2003-03-03T15:12:04 Slighter, Tim:
Should it - or could it be specified that users running snort on a stealth interface would not be impacted?
Nope. If you're running snort on a stealth interface you can still be hit, the bug is a buffer overflow in the rpc_decode preprocessor; someone fires the right packets over snort's bow and down she goes. In theory this may or may not (I don't know) be exploitable to allow running arbitrary code. If you're running on a stealthy interface, the exploit code may not be able to establish a connection back to the attacker; hence they may be forced to encode their entire attack in the actual buffer-overflowing initial break. Snort should be run as a non-priv user, which will further mitigate problems. Snort can be run chrooted, if you're doing that problems are more confined still. But the real response should be, #-out preprocessor rpc_decode until you upgrade to 1.9.1. -Bennett ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: [Snort-2003-001] Buffer overflow in Snort RPC p reprocessor Slighter, Tim (Mar 03)
- <Possible follow-ups>
- RE: [Snort-2003-001] Buffer overflow in Snort RPC p reprocessor Slighter, Tim (Mar 03)
- Re: [Snort-2003-001] Buffer overflow in Snort RPC p reprocessor Michael Anderson (Mar 03)