Re: BO preproc exploit published

[Murali Raju <protocoljunkie () gmail com>]

95% of the snort sensors I build use OpenBSD and the rest are a mix or
Linux(PAX/GrSecurity)/FreeBSD (for in-line). The exploit did not work on any
of these.

_Raju


On 10/26/05, byte_jump <bytejump () gmail com> wrote:
> On 10/26/05, Paul Melson <pmelson () gmail com> wrote:
> > I saw that in the release notes. To date, my sensors have not detected
> any
> > attempts to exploit the bo preproc. I suppose that now that there's
> > publicly available code that I ought to test it. ;)
> >
> > PaulM
>
>
> I didn't spend a ton of time on it, but I used the exploit code
> against a Snort 2.4.0 Snort box with the BO preprocessor enabled.
> Snort had been compiled with the SPP gcc (formerly ProPolice) and was
> on a 2.4 kernel with grsecurity/PaX. It wasn't a scientific test by
> any means, but the exploit did not work and seemed to fail due to
> ProPolice (this is a stack-based buffer overflow). The exploit did
> work against a similar server without ProPolice and grsecurity.
>
> Honestly, I'm very disappointed that 1) Sourcefire doesn't use
> ProPolice and grsecurity on their sensors, and 2) that Snort.org<http://Snort.org>does
> not encourage folks to use those security mechanisms, too. Those
> security measures certainly seemed to work in my less-than-scientific
> test.
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by the JBoss Inc.
> Get Certified Today * Register for a JBoss Training Course
> Free Certification Exam for All Training Attendees Through End of 2005
> Visit http://www.jboss.com/services/certification for more information
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?listsnort-users



--
May the packets be with you.