From the advisory: The stream4 preprocessor module is a Snort plugin that reassembles TCP traffic before passing it on to be analyzed. It also detects several types of IDS evasion attacks. We have discovered an exploitable heap overflow in this module resulting from sequence number calculations that overflow a 32 bit integer variable. To exploit this vulnerability an attacker does not need to know on which host the Snort sensor is running. It is only necessary to guess where to send traffic that the Snort sensor will 'see' and analyze. Successful exploitation of this vulnerability could lead to execution of arbitrary commands on a system running the Snort sensor with the privileges of the user running the snort process (usually root), a denial of service attack against the snort sensor and possibly the implementation of IDS evasion techniques that would prevent the sensor from detecting attacks on the monitored network. *Vulnerable packages:* . Snort 2.0 versions prior to RC1 . Snort 1.9.x . Snort 1.8.x . IDSes and other security appliances using snort technology embedded. Reproducible: Always Steps to Reproduce: Workaround from the advisory: A workaround for this bug is to disable the TCP stream reassembly module. This can be done by commenting out the following line from your Snort configuration file (usually 'snort.conf') and sending a SIGHUP signal to the running Snort process: preprocessor stream4_reassemble Although this will prevent the vulnerability from being exploited it will make it possible to easily evade the IDS by fragmenting attacks across multiple TCP segments.
The ideal fix to this and bug #18737 is to upgrade to Snort v. 2.0 released yesterday (04/14/2004)
Created attachment 10799 [details] Snort 2.0.0 ebuild This ebuild addresses the changes in 2.0.0
Created attachment 10800 [details] Alpha patch for 2.0.0 This is my attempt at making a patch for Alpha - but i have no way to test it (at the moment) i also would worry about these instances of u_int: grep u_int spp_http_decode.c >static u_int unidecode(char *in, u_int len, u_int * overlong_flag); > u_int16_t psize; /* payload size */ > u_int overlong_flag; > url = (u_int8_t *) UriBufs[0].uri; > psize = (u_int16_t) (p->dsize); > /* UriBufs[0].http_version = (u_int8_t *) index; */ >static u_int unidecode(char *in, u_int len, u_int * overlong_flag)
fyi from the CERT advisory <http://www.cert.org/advisories/CA-2003-13.html>: Disable affected preprocessor modules Sites that are unable to immediately upgrade affected Snort sensors may prevent exploitation of this vulnerability by commenting out the affected preprocessor modules in the "snort.conf" configuration file. To prevent exploitation of VU#139129, comment out the following line: preprocessor stream4_reassemble To prevent exploitation of VU#916785, comment out the following line: preprocessor rpc_decode: 111 32771 After commenting out the affected modules, send a SIGHUP signal to the affected Snort process to update the configuration. Note that disabling these modules may have adverse affects on a sensor's ability to correctly process RPC record fragments and TCP packet fragments. In particular, disabling the "stream4" preprocessor module will prevent the Snort sensor from detecting a variety of IDS evasion attacks.
*** Bug 18737 has been marked as a duplicate of this bug. ***
glsa sent