Snort mailing list archives

Re: [Snort-2003-001] Buffer overflow in Snort RPC p reprocessor

From: Bennett Todd <bet () rahul net>
Date: Mon, 3 Mar 2003 16:18:11 -0500

2003-03-03T15:12:04 Slighter, Tim:

Should it - or could it be specified that users running snort on a
stealth interface would not be impacted?


Nope. If you're running snort on a stealth interface you can still
be hit, the bug is a buffer overflow in the rpc_decode preprocessor;
someone fires the right packets over snort's bow and down she goes.
In theory this may or may not (I don't know) be exploitable to allow
running arbitrary code.

If you're running on a stealthy interface, the exploit code may not
be able to establish a connection back to the attacker; hence they
may be forced to encode their entire attack in the actual
buffer-overflowing initial break.

Snort should be run as a non-priv user, which will further mitigate
problems.

Snort can be run chrooted, if you're doing that problems are more
confined still.

But the real response should be, #-out preprocessor rpc_decode until
you upgrade to 1.9.1.

-Bennett

Attachment: _bin
Description:

Current thread:

RE: [Snort-2003-001] Buffer overflow in Snort RPC p reprocessor Slighter, Tim (Mar 03)
- Re: [Snort-2003-001] Buffer overflow in Snort RPC p reprocessor Martin Roesch (Mar 03)
- Re: [Snort-2003-001] Buffer overflow in Snort RPC p reprocessor Michael Anderson (Mar 03)
- Re: [Snort-2003-001] Buffer overflow in Snort RPC p reprocessor Bennett Todd (Mar 03)