Security Hole in Snort Intrusion Detection / Prevention System

Posted on February 25, 2007 by Dragan Pleskonjic

A week ago, Neel Mehta from IBM Internet Security Systems X-Force has reported a vulnerability in Snort, which can be exploited by malicious people to compromise a vulnerable system.

The vulnerability is caused due to a boundary error within the DCE/RPC preprocessor when reassembling SMB Write AndX requests. This can be exploited to cause a stack-based buffer overflow via a specially crafted packet sent over a network that is monitored by Snort .

Successful exploitation allows execution of arbitrary code.

The vulnerability reportedly affects the following versions:

  • Snort 2.6.1, 2.6.1.1, and 2.6.1.2
  • Snort 2.7.0 beta 1

Solution is to update to version 2.6.1.3. The vendor recommends that beta users disable the DCE/RPC preprocessor.

This problem has been reported on Snort web site (here) and on Slashdot (here). Sourcefire has not received any reports that this vulnerability has been exploited.

Share

About Dragan Pleskonjic

Chief Security Officer, University Lecturer, Entrepreneur, Security Researcher, Security Architect & Adviser, Software Development Manager. More info about Dragan Pleskonjic.
This entry was posted in Intrusion Detection / Prevention Systems. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>