IDS mailing list archives
Re: Snort RPC Vulnerability
From: "Jason V. Miller" <jmiller () securityfocus com>
Date: Mon, 3 Mar 2003 12:06:01 -0700
Yes, though the risk would be mitigated by the fact that your machine couldn't transmit any data onto the wire; although an attacker wouldn't be able to get an interactive shell of any sort on your machine, they would still be able to rm -rf / the box (or equivalent). According to the ISS advisory, successful exploitation can occur outside of an established TCP session; stateless TCP segments with the ACK bit set (or possibly even a SYN segment with data) can trigger the vulnerability. Regards, J. On Mon, Mar 03, 2003 at 02:03:25PM -0500, netsecurity wrote:
If you are using a receive only cable does this still represent a vulnerability? Allen Taylor _______________________ Network Security Dura Builders 5740 Decatur Blvd. Indianapolis, IN, 46241 (317) 821-1109 FAX Monday, March 3, 2003, 1:20:51 PM, you wrote: JVM> Anyone using Snort might want to have a look at the latest ISS Advisory. There JVM> is a vulnerability in Snort 1.8.0 - 1.9.0 in the RPC preprocessor, which may JVM> ultimately allow a remote attacker to execute arbitrary code on a vulnerable JVM> host. JVM> Internet Security Systems Security Advisory JVM> Snort RPC Preprocessing Vulnerability JVM> http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21951 JVM> The Snort team has released a new version, 1.9.1, which contains fixes for this JVM> issue. Users not wishing to upgrade may disable the RPC preprocessor in their JVM> snort.conf configs. JVM> Check out the Snort Web site: JVM> http://www.snort.org/ JVM> Version 1.9.1, which contains fixes for this issue, is available here: JVM> http://www.snort.org/dl/snort-1.9.1.tar.gz JVM> Regards, (C)opyright Dura Builders, ~2003~ Indianapolis, IN, All Rights Reserved ------------------------------------------------------------------------- The information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, contact netsecurity () duracompanies com -------------------------------------------------------------------------
-- Jason V. Miller, Threat Analyst Symantec, Inc. - www.symantec.com E-Mail: jmiller () securityfocus com ----------------------------------------------------------- <Pre>Lose another weekend managing your IDS? Take back your personal time. 15-day free trial of StillSecure Border Guard.</Pre> <A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>
Current thread:
- Snort RPC Vulnerability Jason V. Miller (Mar 03)
- Re: Snort RPC Vulnerability netsecurity (Mar 03)
- Re: Snort RPC Vulnerability Jason V. Miller (Mar 03)
- RE: Snort RPC Vulnerability Rob Shein (Mar 03)
- Re: Snort RPC Vulnerability Bennett Todd (Mar 03)
- RE: Snort RPC Vulnerability Trey A Mujakporue (Mar 03)
- Re: Snort RPC Vulnerability netsecurity (Mar 03)