16763 – Snort RPC Preprocessing Remote Security Vulnerability

Bug 16763 - Snort RPC Preprocessing Remote Security Vulnerability

Summary: Snort RPC Preprocessing Remote Security Vulnerability

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	Highest critical
Assignee:	Gentoo Security

URL:	http://www.iss.net/issEn/delivery/xfo...
Whiteboard:
Keywords:

Duplicates (1):	16811 (view as bug list)
Depends on:
Blocks:

Reported:	2003-03-03 15:06 UTC by Bug Hunter
Modified:	2003-03-08 17:55 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Bug Hunter 2003-03-03 15:06:25 UTC

From the Advisory:

A buffer overflow flaw exists in Snort RPC preprocessing code that is vulnerable
to attack.

Impact:

Remote attackers may exploit the buffer overflow condition to run arbitrary
code on a Snort sensor with the privileges of the Snort IDS process, which
typically runs as the superuser[1]. The vulnerable preprocessor is enabled by
default. It is not necessary to establish an actual connection to a RPC
portmapper service to exploit this vulnerability.

[1] runs as user snort on Gentoo by default - but still has access to all
network traffic

Solution:

Upgrade to 1.9.1 or disable the rpc pre-processor as temporary work-around.

Note: disabling the rpc pre-processor disables all rpc based detection.


Reproducible: Always
Steps to Reproduce:

Comment 1 Martin Holzer (RETIRED) gentoo-dev

2003-03-05 18:01:14 UTC

*** Bug 16811 has been marked as a duplicate of this bug. ***

Comment 2 Daniel Ahlberg (RETIRED) gentoo-dev

2003-03-08 17:55:56 UTC

glsa sent