Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » Connectiva CLA-2003:613: snort buffer overflow

Connectiva CLA-2003:613: snort buffer overflow

by Nikola Strahija on April 6th, 2003 A buffer overflow vulnerability has been found in Snort which, if exploited, may allow arbitrary code execution.


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
CONECTIVA LINUX SECURITY ANNOUNCEMENT
- --------------------------------------------------------------------------

PACKAGE : snort
SUMMARY : RPC preprocessor vulnerability
DATE : 2003-04-04 14:20:00
ID : CLA-2003:613
RELEVANT
RELEASES : 8

- -------------------------------------------------------------------------

DESCRIPTION
Snort is an Open Source Network Intrusion Detection System (NIDS).

ISS X-Force has discovered[1] a remotely exploitable buffer overflow
vulnerability in Snort. It resides in the RPC preprocessor, which is
responsible for normalizing RPC traffic before its analisys by the
rules processor.

A remote atacker able to insert specially crafted RPC traffic in the
network being monitored by snort may crash the sensor or execute
arbitrary code in the context of it, which is run by the root user.

The RPC preprocessor feature was added in snort 1.8, which is
distributed with Conectiva Linux 8. Users of Conectiva Linux versions
6.0 and 7.0 are not vulnerable to this attack.

IMPORTANT: Please note that this update is from snort 1.8.4b1 to
1.9.1. Since several components have changed in snort 1.9.1, the old
snort.conf file and the alerts database need some small changes in
order to work with this new version. Instructions about how to
smoothly upgrade are available at the end of this announcement.


SOLUTION
This is a serious vulnerability. All snort users should upgrade.

A workaround for this problem is to disable the RPC preprocessor by
commenting the following line in the snort.conf file:

preprocessor rpc_decode: 111


REFERENCES:
1.http://www.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21951



UPGRADING FROM SNORT 1.8.4b1 TO SNORT 1.9.1:

The snort update from 1.8.4b1 to 1.9.1 basically needs two manual
interventions to work: changes in the config file
(/etc/snort/snort.conf) and in the SQL database (in the case of using
an SQL backend).


Necessary changes to the configuration file (snort.conf)
--------------------------------------------------------

Since several components have been changed in snort 1.9.1, some
changes were made in the snort.conf file. Below are listed the
necessary changes in order to let snort 1.9.1 work with the old
config file from snort 1.8.4b1. Notice that, in order to take full
advantage of the new available features, it is recommended to create
a new config file based on the one distributed with snort 1.9.1. In
an rpm based installation, the old configuration file is preserved
and the new one is saved as "snort.conf.rpmnew".

- New variables:

The following variables (and their default values) were added and
some rules need these definitions in order to work (i.e. snort will
not start if these variables are not defined).

# List of telnet servers on your network
var TELNET_SERVERS $HOME_NET

# List of SMTP servers on your network
var SMTP_SERVERS $HOME_NET

# Ports you run web servers on
var HTTP_PORTS 80

# Ports you want to look for SHELLCODE on.
var SHELLCODE_PORTS !80

# AIM Servers (AOL Instant Messaging)
var AIM_SERVERS
[64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.12.161.0/24,64.12.163.0/24,205.188.5.0/
24,205.188.9.0/24]

# Ports you do oracle attacks on
var ORACLE_PORTS 1521


- Rules directory:
The snort rules are now under the /etc/snort/rules directory. The
config file must be changed to point to it:

Change the line
var RULE_PATH ./

To
var RULE_PATH /etc/snort/rules


- Preprocessor changes:

The "http_decode" preprocessor was configured with the following
parameters in snort 1.8.4b1:

preprocessor http_decode: 80 -unicode -cginull

The syntax in snort 1.9.1 has been changed and now the default is:

preprocessor http_decode: 80 unicode iis_alt_unicode
double_encode iis_flip_slash full_whitespace

Besides that change, several other preprocessor were modified.
Although the older configuration may still work, it is recommended to
adapt it to the new defaults in order to get the best of snort
capabilities.


Necessary changes to the SQL database
-------------------------------------

The snort database in version 1.8.4b1 (schema 104) is not compatible
with snort 1.9.1 (schema 106). In order to keep using the old
database, snort 1.9.1 needs some small changes in the "sensor" and
"schema" tables. Besides that, a new snort functionality needs
"update" access to the database tables.

Below are the necessary commands to make such changes in a scenario
where MySQL is being used to store the snort database locally
(localhost). If snort is running in a distributed model or using
another SQL backend, the commands must be adapted accordingly.

- Access the MySQL interface:
$ mysql -u root -p snortdatabase

- Add to the table "sensor" a field "last_cid", needed by snort
1.9.1:
mysql> alter table sensor add last_cid INT UNSIGNED NOT NULL;

- Change the "schema" version to 106 (this is the version expected by
snort 1.9.1):
mysql> update schema set vseq=106;

- Grant update permission to the user snort in all tables from
"snortdatabase":
mysql> grant update on snortdatabase.* to [email protected]
identified by 'snort_user_password';

- Exit MySQL:
mysql> quit;

Aditional info can be found in the above URLs:
Snort: http://www.snort.org/
Conectiva Linux: http://www.conectiva.com/


UPDATED PACKAGES
ftp://atualizacoes.conectiva.com.br/8/RPMS/snort-1.9.1-1U80_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/SRPMS/snort-1.9.1-1U80_1cl.src.rpm

ADDITIONAL INSTRUCTIONS
The apt tool can be used to perform RPM packages upgrades:

- run: apt-get update
- after that, execute: apt-get upgrade

Detailed instructions reagarding the use of apt and upgrade examples
can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en

- -------------------------------------------------------------------------
All packages are signed with Conectiva's GPG key. The key and instructions
on how to import it can be found at
http://distro.conectiva.com.br/seguranca/chave/?idioma=en
Instructions on how to check the signatures of the RPM packages can be
found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en

- -------------------------------------------------------------------------
All our advisories and generic update instructions can be viewed at
http://distro.conectiva.com.br/atualizacoes/?idioma=en

- -------------------------------------------------------------------------
Copyright 2003 (c) Conectiva Inc.
http://www.conectiva.com

- -------------------------------------------------------------------------
subscribe: [email protected]
unsubscribe: [email protected]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE+jb8X42jd0JmAcZARAmuBAKCTrDSKsintRRjoSUrry6U5gZuM1QCfcKR/
KncikHmelXswYPtVPC3mRpU=
=nR3N
-----END PGP SIGNATURE-----


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »