A buffer overflow exists in the Snort Back Orifice preprocessor that may allow a remote, unauthenticated attacker to execute arbitrary code, possibly with elevated privileges.
Snort is an open-source intrusion detection system (IDS). A lack of validation on attacker-controlled data may allow a buffer overflow to occur in the in Snort Back Orifice preprocessor. A remote, unauthenticated attacker may be able to trigger the buffer overflow by sending a specially crafted Back Orifice ping to a vulnerable Snort installation.
To exploit this vulnerability, an attacker does not need to send packets directly to the Snort sensor. It is sufficient to send packets to any of the hosts on the network monitored by Snort.
A remote attacker can execute arbitrary code with the privileges of the Snort process, typically root or SYSTEM.
This issue has been addressed in Snort version 2.4.3.
Disable Snort Back Orifice preprocessor
Disabling the Snort Back Orifice preprocessor will mitigate this vulnerability. However, without the Snort preprocessor, the Snort sensor will not detect or prevent Back Orifice traffic. Snort suggests the following steps to disable the Back Orifice preprocessor:
`The Back Orifice preprocessor can be disabled by commenting out the line "preprocessor bo" in snort.conf. This can be done in any text editor using the following procedure:
Vendor| Status| Date Notified| Date Updated
FreeBSD, Inc.| | 18 Oct 2005| 18 Oct 2005
Nortel Networks, Inc.| | 18 Oct 2005| 19 Oct 2005
Snort| | 14 Oct 2005| 18 Oct 2005
Sourcefire| | 14 Oct 2005| 26 Oct 2005
SUSE Linux| | 18 Oct 2005| 19 Oct 2005
Ubuntu| | 18 Oct 2005| 19 Oct 2005
Apple Computer, Inc.| | 18 Oct 2005| 09 Nov 2005
Avaya, Inc.| | 18 Oct 2005| 18 Oct 2005
Debian Linux| | 18 Oct 2005| 11 Nov 2005
F5 Networks, Inc.| | 18 Oct 2005| 19 Oct 2005
Global Technology Associates| | 18 Oct 2005| 18 Oct 2005
Hitachi| | 18 Oct 2005| 20 Oct 2005
Internet Security Systems, Inc.| | 14 Oct 2005| 18 Oct 2005
Intoto| | 18 Oct 2005| 11 Nov 2005
Juniper Networks, Inc.| | 18 Oct 2005| 20 Oct 2005
If you are a vendor and your product is affected, let us know.
Group | Score | Vector
Base | N/A | N/A
Temporal | N/A | N/A
Environmental | N/A | N/A
This vulnerability was researched and reported by Internet Security Systems (ISS).
This document was written by Art Manion and Jeff Gennari.