Snort DCE/RPC preprocessor buffer overflow

2007-07-09T00:00:00
ID SAINT:AA4F55AACCFB3D420B4972A4E9BE4880
Type saint
Reporter SAINT Corporation
Modified 2007-07-09T00:00:00

Description

Added: 07/09/2007
CVE: CVE-2006-5276
BID: 22616
OSVDB: 32094

Background

Snort is an open-source intrusion detection system. It includes a DCE/RPC preprocessor, which reassembles DCE/RPC traffic before it is passed to the intrusion detection engine.

Problem

A buffer overflow vulnerability in the DCE/RPC preprocessor allows remote attackers to execute arbitrary commands by chaining together multiple **WriteAndX** requests in the same TCP segment.

Resolution

Upgrade to Snort 2.6.1.3 or higher.

References

<http://www.us-cert.gov/cas/techalerts/TA07-050A.html>
<http://www.snort.org/docs/advisory-2007-02-19.html>

Limitations

Exploit works on Snort 2.6.1.1 on Windows and Snort 2.6.1.2 on Red Hat 8, and requires port 445/TCP to be open on the target.

Platforms

Windows 2000
Windows XP SP0 / Windows XP SP1
Windows XP SP2 / Windows XP
Linux