Snort RPC Decode Module Overflow

2003-03-03T14:08:57
ID OSVDB:4418
Type osvdb
Reporter ISS X-Force Research(xforce@iss.net)
Modified 2003-03-03T14:08:57

Description

Vulnerability Description

Snort contains a flaw that may allow a remote attacker to execute arbitrary code. The issue is due to a flaw in the Remote Procedure Call (RPC) preprocessor. If an attacker sends fragmented RPC traffic to a system running Snort, they may be able to overflow the buffer and crash the IDS or execute arbitrary code with the same privileges as the IDS.

Solution Description

Upgrade to version 2.0 or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workaround: disable the rpc_decode preprocessor

edit snort.conf, replace any lines that begin with "preprocessor rpc_decode" with "preprocessor rpc_decode"

Short Description

Snort contains a flaw that may allow a remote attacker to execute arbitrary code. The issue is due to a flaw in the Remote Procedure Call (RPC) preprocessor. If an attacker sends fragmented RPC traffic to a system running Snort, they may be able to overflow the buffer and crash the IDS or execute arbitrary code with the same privileges as the IDS.

References:

Other Advisory URL: http://www.linuxsecurity.com/advisories/engarde_advisory-2944.html Other Advisory URL: http://www.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21951 Other Advisory URL: http://cert.uni-stuttgart.de/archive/bugtraq/2003/04/msg00084.html Other Advisory URL: http://seclists.org/lists/fulldisclosure/2003/Apr/0470.html Other Advisory URL: http://cert.uni-stuttgart.de/archive/bugtraq/2003/03/msg00123.html Other Advisory URL: http://cert.uni-stuttgart.de/archive/bugtraq/2003/04/msg00266.html Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2003-03/0044.html ISS X-Force ID: 10956 CVE-2003-0033 CERT VU: 916785 Bugtraq ID: 6963