Debian Bug report logs - #183719
RPC Preprocessing Vulnerability

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Drew Scott Daniels <umdanie8@cc.UManitoba.CA>

To: submit@bugs.debian.org

Subject: RPC Preprocessing Vulnerability

Date: Thu, 6 Mar 2003 16:48:27 -0600 (CST)

Package: snort
Version: 1.8.4beta1-3
Severity: grave
Tags: security, woody

snort-mysql and snort-pgsql should probably have this bug too if I filed
this bug against the right package. Maybe this bug should be on
snort-common?

To paraphrase the ISS advisory, snort's RPC preprocessor which is enabled
by default (maybe not in Debian's version?) is vulnerable to a buffer
overflow.

http://packetstorm.linuxsecurity.com/advisories/iss/iss.snort-rpc.txt
says:
Remote attackers may exploit the buffer overflow condition to run arbitrary
code on a Snort sensor with the privileges of the Snort IDS process, which
typically runs as the superuser. The vulnerable preprocessor is enabled by
default. It is not necessary to establish an actual connection to a RPC
portmapper service to exploit this vulnerability.

and:
Affected Versions:
Snort 1.8 (July 2001) up to and including Snort-Current (March 3, 2003 1pm ET)

     Drew Daniels

Message #10 received at 183719@bugs.debian.org (full text, mbox, reply):

From: Drew Scott Daniels <umdanie8@cc.UManitoba.CA>

To: control@bugs.debian.org, <183719@bugs.debian.org>, <team@security.debian.org>

Subject: Snort RPC vulnerability

Date: Wed, 9 Apr 2003 14:38:01 -0500 (CDT)

tags 183719 +sarge
thanks
I'm unsure if bug 183719 affects sarge as well as woody, but I would
suspect so. I see no reference to disabling the RPC decoder in the Debian
diffs. This bug should probably be filed against the source for snort as
it looks like it affects snort, snort-mysql and snort-pgsql.

Note: Unstable (sid) has a newer version of snort that has this bug
*fixed*, not just worked around.

http://www.snort.org/ says:
Snort 1.9.1 released, fixes vulnerability in rpc decoder  Brian @ Mon Mar
3 13:00:00 EST 2003
A buffer overflow has been found in the snort RPC normalization routines
by ISS X-Force. This can cause snort to execute arbitrary code embedded
within sniffed network packets. This preprocessor is enabled by default.

Snort 1.9.1 has been released to resolve this issue. For users using CVS
HEAD, a fix has been committed to the source tree.

If you are in an environment that can not upgrade snort immediately,
comment out the line in your snort.conf that begins:

preprocessor rpc_decode


and replace it with:

# preprocessor rpc_decode

     Drew Daniels

Message #17 received at 183719@bugs.debian.org (full text, mbox, reply):

From: Drew Scott Daniels <umdanie8@cc.UManitoba.CA>

To: 183719@bugs.debian.org

Date: Wed, 9 Apr 2003 15:34:15 -0500 (CDT)

http://www.securityfocus.com/bid/6963/credit/ shows more information
including advisories is available for Gentoo, Conectiva, EnGarde,
Mandrake, and ISS X-Force.

     Drew Daniels

Message #22 received at 183719@bugs.debian.org (full text, mbox, reply):

From: Drew Scott Daniels <umdanie8@cc.UManitoba.CA>

To: 189267@bugs.debian.org, <183719@bugs.debian.org>

Subject: CERT Advisory CA-2003-13 Multiple Vulnerabilities in Snort Preprocessors (fwd)

Date: Thu, 17 Apr 2003 12:16:07 -0500 (CDT)

For what it's worth...

     Drew Daniels

---------- Forwarded message ----------
Date: Thu, 17 Apr 2003 11:29:14 -0400
From: CERT Advisory <cert-advisory@cert.org>
To: cert-advisory@cert.org
Subject: CERT Advisory CA-2003-13 Multiple Vulnerabilities in Snort
    Preprocessors



-----BEGIN PGP SIGNED MESSAGE-----

CERT Advisory CA-2003-13 Multiple Vulnerabilities in Snort Preprocessors

   Original release date: April 17, 2003
   Last revised: --
   Source: CERT/CC

   A complete revision history can be found at the end of this file.

Systems Affected

     * Snort IDS, versions 1.8 through 2.0 RC1

Overview

   There are two vulnerabilities in the Snort Intrusion Detection System,
   each  in  a  separate  preprocessor module. Both vulnerabilities allow
   remote  attackers to execute arbitrary code with the privileges of the
   user running Snort, typically root.

I. Description

   The   Snort  intrusion  detection  system  ships  with  a  variety  of
   preprocessor  modules  that  allow  the  user  to  selectively include
   additional    functionality.    Researchers   from   two   independent
   organizations have discovered vulnerabilities in two of these modules,
   the  RPC  preprocessor  and  the  "stream4"  TCP  fragment  reassembly
   preprocessor.

   For additional information regarding Snort, please see

     http://www.snort.org/.

   VU#139129 - Heap overflow in Snort "stream4" preprocessor (CAN-2003-0029)

   Researchers  at  CORE Security Technologies have discovered a remotely
   exploitable  heap overflow in the Snort "stream4" preprocessor module.
   This  module  allows  Snort  to  reassemble  TCP  packet fragments for
   further analysis.

   To  exploit  this  vulnerability,  an  attacker must disrupt the state
   tracking  mechanism  of the preprocessor module by sending a series of
   packets  with  crafted  sequence  numbers.  This  causes the module to
   bypass a check for buffer overflow attempts and allows the attacker to
   insert arbitrary code into the heap.

   For additional information, please read the Core Security Technologies
   Advisory located at

     http://www.coresecurity.com/common/showdoc.php?idx=313&idxseccion=10

   This  vulnerability affects Snort versions 1.8.x, 1.9.x, and 2.0 prior
   to  RC1. Snort has published an advisory regarding this vulnerability;
   it is available at

     http://www.snort.org/advisories/snort-2003-04-16-1.txt.

   VU#916785 - Buffer overflow in Snort RPC preprocessor (CAN-2003-0033)

   Researchers  at  Internet  Security  Systems  (ISS)  have discovered a
   remotely  exploitable  buffer  overflow  in the Snort RPC preprocessor
   module.  Martin  Roesch,  primary  developer  for Snort, described the
   vulnerability as follows:

     When the RPC decoder normalizes fragmented RPC records, it
     incorrectly checks the lengths of what is being normalized against
     the current packet size, leading to an overflow condition. The RPC
     preprocessor is enabled by default.

   For  additional  information,  please  read  the  ISS X-Force advisory
   located at

     http://www.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21951

   This  vulnerability  affects  Snort  versions  1.8.x through 1.9.1 and
   version 2.0 Beta.

II. Impact

   Both  VU#139129  and  VU#916785  allow  remote  attackers  to  execute
   arbitrary  code  with  the  privileges  of  the  user  running  Snort,
   typically  root.  In addition, it is not necessary for the attacker to
   know  the  IP  address of the Snort device they wish to attack; merely
   sending  malicious  traffic  where  it  can be observed by an affected
   Snort sensor is sufficient to exploit these vulnerabilities.

III. Solution

Upgrade to Snort 2.0

   Both VU#139129 and VU#916785 are addressed in Snort version 2.0, which
   is available at

     http://www.snort.org/dl/snort-2.0.0.tar.gz

   Binary-only versions of Snort are available from

     http://www.snort.org/dl/binaries

   For  information  from  other  vendors  that ship affected versions of
   Snort, please see Appendix A of this document.

Disable affected preprocessor modules

   Sites  that  are  unable to immediately upgrade affected Snort sensors
   may  prevent  exploitation of this vulnerability by commenting out the
   affected preprocessor modules in the "snort.conf" configuration file.

   To prevent exploitation of VU#139129, comment out the following line:

     preprocessor stream4_reassemble

   To prevent exploitation of VU#916785, comment out the following line:

     preprocessor rpc_decode: 111 32771

   After commenting out the affected modules, send a SIGHUP signal to the
   affected   Snort  process  to  update  the  configuration.  Note  that
   disabling these modules may have adverse affects on a sensor's ability
   to correctly process RPC record fragments and TCP packet fragments. In
   particular,  disabling  the "stream4" preprocessor module will prevent
   the Snort sensor from detecting a variety of IDS evasion attacks.

Block outbound packets from Snort IDS systems

   You  may  be  able  limit  an attacker's capabilities if the system is
   compromised  by  blocking  all outbound traffic from the Snort sensor.
   While   this   workaround   will   not  prevent  exploitation  of  the
   vulnerability,  it  may  make  it  more  difficult for the attacker to
   create a useful exploit.

Appendix A. - Vendor Information

   This  appendix  contains  information  provided  by  vendors  for this
   advisory.  As  vendors  report new information to the CERT/CC, we will
   update this section and note the changes in our revision history. If a
   particular  vendor  is  not  listed  below, we have not received their
   comments.

Apple Computer, Inc.

   Snort is not shipped with Mac OS X or Mac OS X Server.

Ingrian Networks

   Ingrian  Networks  products  are  not  susceptible  to  VU#139129  and
   VU#916785 since they do not use Snort.

   Ingrian  customers  who  are  using the IDS Extender Service Engine to
   mirror  cleartext  data  to a Snort-based IDS should upgrade their IDS
   software.

NetBSD

   NetBSD does not include snort in the base system.

   Snort  is  available from the 3rd party software system, pkgsrc. Users
   who  have  installed  net/snort,  net/snort-mysql  or  net/snort-pgsql
   should  update  to a fixed version. pkgsrc/security/audit-packages can
   be used to keep up to date with these types of issues.

Red Hat Inc.

   Not  vulnerable.  Red  Hat does not ship Snort in any of our supported
   products.

SGI

   SGI does not ship snort as part of IRIX.

Snort

   Snort  2.0 has undergone an external third party professional security
   audit funded by Sourcefire.
     _________________________________________________________________

   The  CERT/CC  acknowledges  Bruce Leidl, Juan Pablo Martinez Kuhn, and
   Alejandro David Weil of Core Security Technologies for their discovery
   of  VU#139129.  We  also  acknowledge  Mark Dowd and Neel Mehta of ISS
   X-Force for their discovery of VU#916785.
     _________________________________________________________________

   Authors: Jeffrey P. Lanza and Cory F. Cohen.
   ______________________________________________________________________

   This document is available from:
   http://www.cert.org/advisories/CA-2003-13.html
   ______________________________________________________________________

CERT/CC Contact Information

   Email: cert@cert.org
          Phone: +1 412-268-7090 (24-hour hotline)
          Fax: +1 412-268-6989
          Postal address:
          CERT Coordination Center
          Software Engineering Institute
          Carnegie Mellon University
          Pittsburgh PA 15213-3890
          U.S.A.

   CERT/CC   personnel   answer  the  hotline  08:00-17:00  EST(GMT-5)  /
   EDT(GMT-4)  Monday  through  Friday;  they are on call for emergencies
   during other hours, on U.S. holidays, and on weekends.

Using encryption

   We  strongly  urge you to encrypt sensitive information sent by email.
   Our public PGP key is available from
   http://www.cert.org/CERT_PGP.key

   If  you  prefer  to  use  DES,  please  call the CERT hotline for more
   information.

Getting security information

   CERT  publications  and  other security information are available from
   our web site
   http://www.cert.org/

   To  subscribe  to  the CERT mailing list for advisories and bulletins,
   send  email  to majordomo@cert.org. Please include in the body of your
   message

   subscribe cert-advisory

   *  "CERT"  and  "CERT  Coordination Center" are registered in the U.S.
   Patent and Trademark Office.
   ______________________________________________________________________

   NO WARRANTY
   Any  material furnished by Carnegie Mellon University and the Software
   Engineering  Institute  is  furnished  on  an  "as is" basis. Carnegie
   Mellon University makes no warranties of any kind, either expressed or
   implied  as  to  any matter including, but not limited to, warranty of
   fitness  for  a  particular purpose or merchantability, exclusivity or
   results  obtained from use of the material. Carnegie Mellon University
   does  not  make  any warranty of any kind with respect to freedom from
   patent, trademark, or copyright infringement.
     _________________________________________________________________

   Conditions for use, disclaimers, and sponsorship information

   Copyright 2003 Carnegie Mellon University.

   Revision History
April 17, 2003:  Initial release

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8

iQCVAwUBPp7GWGjtSoHZUTs5AQGmlAP+MWnegmA1Qft9AenH7xefffpEDVGDT+sl
T4iljwl/ySozE962r40mL4KCszZDPdwRW/MyMA7ZcFaoWbiZc/QrEhTa4A/YYJWC
A4kL1cEnM/LiQ7yYBSnJ6DIWDTo+M1PUS9so02M6a0f0e4jpzXZDJ5HmPDdo/aPq
NW70cU8gbgs=
=Vs2Q
-----END PGP SIGNATURE-----

Message #27 received at 183719@bugs.debian.org (full text, mbox, reply):

From: Drew Scott Daniels <umdanie8@cc.UManitoba.CA>

To: 189267@bugs.debian.org, <183719@bugs.debian.org>, <team@security.debian.org>

Subject: Re: snort and Debian

Date: Mon, 21 Apr 2003 10:54:42 -0500 (CDT)

On Mon, 21 Apr 2003, Martin Schulze wrote:

> I've already prepared an update that'll be sent out next week with
> a note for people to update, and the maintainer was so kind to provide
> backported *current* packages for stable *AND* oldstable, so they can
> really upgrade, even if they fear woody or sid.
>
Should these two bugs be tagged pending? Should the potato tag be set for
these bugs until they are closed?

     Drew Daniels

Message #36 received at 183719-done@bugs.debian.org (full text, mbox, reply):

From: Drew Scott Daniels <umdanie8@cc.UManitoba.CA>

To: 189267-done@bugs.debian.org, <183719-done@bugs.debian.org>

Subject: DSA 297-1

Date: Thu, 1 May 2003 16:11:49 -0500 (CDT)

DSA 297 closes these bugs. It may be worth noting that potato was not
affected.

     Drew Daniels

Send a report that this bug log contains spam.