Snort mailing list archives
Re: [Snort-2003-001] Buffer overflow in Snort RPC p reprocessor
From: Bennett Todd <bet () rahul net>
Date: Mon, 3 Mar 2003 16:18:11 -0500
2003-03-03T15:12:04 Slighter, Tim:
Should it - or could it be specified that users running snort on a stealth interface would not be impacted?
Nope. If you're running snort on a stealth interface you can still be hit, the bug is a buffer overflow in the rpc_decode preprocessor; someone fires the right packets over snort's bow and down she goes. In theory this may or may not (I don't know) be exploitable to allow running arbitrary code. If you're running on a stealthy interface, the exploit code may not be able to establish a connection back to the attacker; hence they may be forced to encode their entire attack in the actual buffer-overflowing initial break. Snort should be run as a non-priv user, which will further mitigate problems. Snort can be run chrooted, if you're doing that problems are more confined still. But the real response should be, #-out preprocessor rpc_decode until you upgrade to 1.9.1. -Bennett
Attachment:
_bin
Description:
Current thread:
- RE: [Snort-2003-001] Buffer overflow in Snort RPC p reprocessor Slighter, Tim (Mar 03)
- Re: [Snort-2003-001] Buffer overflow in Snort RPC p reprocessor Martin Roesch (Mar 03)
- Re: [Snort-2003-001] Buffer overflow in Snort RPC p reprocessor Michael Anderson (Mar 03)
- Re: [Snort-2003-001] Buffer overflow in Snort RPC p reprocessor Bennett Todd (Mar 03)