Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 19379 - Snort Security Vulnerability - Remotely exploitable buffer overflow in 1.8.x, 1.9.x, and 2.0 < RC1
Summary: Snort Security Vulnerability - Remotely exploitable buffer overflow in 1.8.x,...
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Highest blocker (vote)
Assignee: Gentoo Security
: 18737 (view as bug list)
Depends on:
Reported: 2003-04-15 16:50 UTC by Bug Hunter
Modified: 2003-04-22 02:43 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Snort 2.0.0 ebuild (snort-2.0.0.ebuild,2.19 KB, text/plain)
2003-04-17 18:05 UTC, Bug Hunter
Alpha patch for 2.0.0 (snort-2.0.0-alpha.patch,3.14 KB, text/plain)
2003-04-17 18:09 UTC, Bug Hunter

Note You need to log in before you can comment on or make changes to this bug.
Description Bug Hunter 2003-04-15 16:50:59 UTC
From the advisory:

The stream4 preprocessor module is a Snort plugin that reassembles
  TCP traffic before passing it on to be analyzed.  It also detects
  several types of IDS evasion attacks.

  We have discovered an exploitable heap overflow in this module
  resulting from sequence number calculations that overflow a
  32 bit integer variable.

  To exploit this vulnerability an attacker does not need to know on
  which host the Snort sensor is running.  It is only necessary to
  guess where to send traffic that the Snort sensor will 'see' and

  Successful exploitation of this vulnerability could lead to
  execution of arbitrary commands on a system running the Snort sensor
  with the privileges of the user running the snort process (usually
  root), a denial of service attack against the snort sensor and
  possibly the implementation of IDS evasion techniques that would
  prevent the sensor from detecting attacks on the monitored network.

*Vulnerable packages:*

  . Snort 2.0 versions prior to RC1
  . Snort 1.9.x
  . Snort 1.8.x
  . IDSes and other security appliances using snort technology embedded.

Reproducible: Always
Steps to Reproduce:
Workaround from the advisory:

A workaround for this bug is to disable the TCP stream reassembly
  module.  This can be done by commenting out the following line from
  your Snort configuration file (usually 'snort.conf') and sending
  a SIGHUP signal to the running  Snort process:

         preprocessor stream4_reassemble

  Although this will prevent the vulnerability from being exploited it
  will make it possible to easily evade the IDS by fragmenting attacks
  across multiple TCP segments.
Comment 1 Bug Hunter 2003-04-15 16:55:29 UTC
The ideal fix to this and bug #18737
is to upgrade to Snort v. 2.0 released yesterday (04/14/2004)

Comment 2 Bug Hunter 2003-04-17 18:05:15 UTC
Created attachment 10799 [details]
Snort 2.0.0 ebuild

This ebuild addresses the changes in 2.0.0
Comment 3 Bug Hunter 2003-04-17 18:09:31 UTC
Created attachment 10800 [details]
Alpha patch for 2.0.0

This is my attempt at making a patch for Alpha - but i have no way to test it
(at the moment)

i also would worry about these instances of u_int:

grep u_int spp_http_decode.c
>static u_int	 unidecode(char *in, u_int len, u_int * overlong_flag);
>    u_int16_t	     psize;	 /* payload size */
>    u_int	     overlong_flag;
>    url = (u_int8_t *) UriBufs[0].uri;
>    psize = (u_int16_t) (p->dsize);
>	     /* UriBufs[0].http_version = (u_int8_t *) index; */
>static u_int unidecode(char *in, u_int len, u_int * overlong_flag)
Comment 4 Rajiv Aaron Manglani (RETIRED) gentoo-dev 2003-04-19 22:04:12 UTC
fyi from the CERT advisory <>:

Disable affected preprocessor modules

   Sites  that  are  unable to immediately upgrade affected Snort sensors
   may  prevent  exploitation of this vulnerability by commenting out the
   affected preprocessor modules in the "snort.conf" configuration file.

   To prevent exploitation of VU#139129, comment out the following line:

     preprocessor stream4_reassemble

   To prevent exploitation of VU#916785, comment out the following line:

     preprocessor rpc_decode: 111 32771

   After commenting out the affected modules, send a SIGHUP signal to the
   affected   Snort  process  to  update  the  configuration.  Note  that
   disabling these modules may have adverse affects on a sensor's ability
   to correctly process RPC record fragments and TCP packet fragments. In
   particular,  disabling  the "stream4" preprocessor module will prevent
   the Snort sensor from detecting a variety of IDS evasion attacks.
Comment 5 Rajiv Aaron Manglani (RETIRED) gentoo-dev 2003-04-19 22:07:27 UTC
*** Bug 18737 has been marked as a duplicate of this bug. ***
Comment 6 Daniel Ahlberg (RETIRED) gentoo-dev 2003-04-22 02:43:46 UTC
glsa sent