Snort: Remote execution of arbitrary code

2007-02-23T00:00:00
ID GLSA-200703-01
Type gentoo
Reporter Gentoo Foundation
Modified 2007-03-02T00:00:00

Description

Background

Snort is a widely deployed intrusion detection program.

Description

The Snort DCE/RPC preprocessor does not properly reassemble certain types of fragmented SMB and DCE/RPC packets.

Impact

A remote attacker could send specially crafted fragmented SMB or DCE/RPC packets, without the need to finish the TCP handshake, that would trigger a stack-based buffer overflow while being reassembled. This could lead to the execution of arbitrary code with the permissions of the user running the Snort preprocessor.

Workaround

Disable the DCE/RPC processor by commenting the 'preprocessor dcerpc' section in /etc/snort/snort.conf .

Resolution

All Snort users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=net-analyzer/snort-2.6.1.3"