Info

Disclosure

Feb 17, 2007

Discovery

Unknown

Dates

Exploit

Feb 23, 2007

Solution

Unknown

Description

A remote overflow exists in Snort. The DCE/RPC Pre-Processor fails to check if traffic is part of a valid TCP session, and multiple "Write AndX" requests can be chained in the same TCP segment resulting in a stack overflow. With a specially crafted SMB packet, an attacker can cause arbitrary code execution resulting in a loss of integrity.

Classification

Location: Remote / Network Access
Attack Type: Input Manipulation
Impact: Loss of Integrity
Solution: Workaround, Upgrade
Exploit: Exploit Public, Exploit Commercial
Disclosure: OSVDB Verified, Vendor Verified
OSVDB: Security Software

Solution

Upgrade to version 2.6.1.3 or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workaround: Disable the DCE/RPC preprocessor by removing the DCE/RPC preprocessor directives from snort.conf and restarting Snort. However, be advised that disabling the DCE/RPC preprocessor reduces detection capabilities for attacks in DCE/RPC traffic.

Products

Sourcefire, Inc.	Snort	2.6.1.2
		2.6.1.1
		2.6.1.0
		2.7.0 beta 1
		2.6.1.3

Nortel Networks	Threat Protection System Intrusion Sensor	4.1
		4.6
		4.5
	Threat Protection System Defense Center	4.1
		4.6
		4.5

References

Security Tracker: 1017670
CERT VU: 196240
CVE ID: 2006-5276 (see also: NVD)
Bugtraq ID: 22616
Secunia Advisory ID: 24190 24235 24239 24240 24272 26746
SCIP VulDB ID: 2948 2950 2952
ISS X-Force ID: 31275
Milw0rm: 3362 3391 3609
Exploit Database: 3362 3391 3609
VUPEN Advisory: ADV-2007-0656 ADV-2007-0668
Generic Exploit URL: http://immunitysec.com
http://www.saintcorporation.com/cgi-bin/exploit_info/snort_dcerpc
Other Advisory URL: http://isc.sans.org/diary.html?storyid=2280
http://www.gentoo.org/security/en/glsa/glsa-200703-01.xml
http://www.iss.net/threats/257.html
https://www.redhat.com/archives/fedora-package-announce/2007-September/msg00122.html
News Article: http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9011574
Vendor Specific Advisory URL: http://www.snort.org/docs/advisory-2007-02-19.html
http://www116.nortelnetworks.com/pub/repository/CLARIFY/DOCUMENT/2007/08/021923-01.pdf
http://www130.nortelnetworks.com/go/main.jsp?cscat=BLTNDETAIL&DocumentOID=540173
US-CERT Cyber Security Alert: TA07-050A

Credit

Neel Mehta - -

Direct URL: http://osvdb.org/32094

Info

Disclosure

Discovery

Dates

Exploit

Solution

Description

Classification

Solution

Products

Sourcefire, Inc.

Snort

Nortel Networks

Threat Protection System Intrusion Sensor

Threat Protection System Defense Center

References

Credit