Internet Security Systems Protection Advisory
October 18, 2005

Snort Back Orifice Parsing Remote Code Execution

Summary:

ISS X-Force has discovered a remotely exploitable vulnerability in Snort’s
Back Orifice pre-processor. A stack-based overflow can be triggered with a
single UDP packet, allowing an attacker to fully compromise a Snort or
Sourcefire installation. X-Force believes this vulnerability to be trivially
exploitable, and urges affected users to upgrade immediately.

ISS Protection Strategy:

ISS has provided preemptive protection for these vulnerabilities. We
recommend that all customers apply applicable ISS product updates.

Network Sensor 7.0, Proventia A and G100, G200, G1200:
XPU 24.19 Released 10/18/05
BackOrifice_Large_Ping

Proventia M and G400, G2000:
1.58 Released 10/18/05
BackOrifice_Large_Ping

Server Sensor 7.0:
XPU 24.19 Released 10/18/05
BackOrifice_Large_Ping

Proventia Desktop
Version 8.0.675.200 / Released TBA
BackOrifice_Large_Ping

Desktop Protector 7.0:
Version EOQ / Released TBA
BackOrifice_Large_Ping

Business Impact:

Compromise of networks and machines using Snort may lead to exposure of
confidential information, loss of productivity, and further network
compromise. Successful exploitation of these vulnerabilities could be
used to gain unauthorized access to networks and machines. No authentication
is required for an attacker to leverage these vulnerabilities to compromise
a network or machine. Snort installations are vulnerable in their default
configurations. It is not necessary to know the exact location of Snort
sensors, but simply to attack a network which they may be listening on.

Affected Products:

Snort 2.4.0 (April 2005)
Snort 2.4.1
Snort 2.4.2

Note: Additional versions may be affected, please contact your vendor for
confirmation.

Description:

Snort is an open-source and freely-available intrusion detection (IDS) and
prevention system (IPS). It is also the basis for many other commercial IDS
and IPS systems, and there may be many affected downstream vendors.

Snort versions since 2.4.0 contain a remotely exploitable vulnerability when
processing Back Orifice (BO) backdoor packets. When determining the
direction (to or from server) of a BO packet, a stack-based overflow can
be triggered by an attacker. This vulnerability could be used to completely
compromise a Snort sensor, and would typically gain an attacker full root
or administrative privileges.

The Snort BO preprocessor vulnerability can be triggered with a single UDP
packet targeting virtually any port. As such, there is a large potential
that these packets can bypass perimeter firewall defenses. An attack need
not be directly targeted at a Snort installation, but merely towards a
network monitored by Snort. Due to the trivial nature of this vulnerability
and its potential to bypass perimeter firewalls, there is grave concern that
this issue might be exploited as part of a network-based worm. X-Force
urges all affected users to upgrade immediately.

The ISS X-Press Updates detailed above will be available shortly, and have
the ability to protect against these vulnerabilities in situations where
dual deployments exist.

Additional Information:

As a temporary workaround, it may be possible to disable the Back Orifice
preprocessor. This can be done by commenting out the preprocessor in the
snort.conf configuration file and restarting the sensor:

preprocessor bo

ISS would like to thank US-CERT for their help co-ordinating this issue.
For additional information and affected vendors, see their vulnerability
note and alert below.

US-CERT Vulnerability Note:

http://www.kb.cert.org/vuls/id/175500

US-CERT Alert:

http://www.us-cert.gov/cas/techalerts/TA05-291A.html

Credit:

This vulnerability was discovered and researched by Neel Mehta of the
ISS X-Force.

---

About Internet Security Systems (ISS)
Internet Security Systems, Inc. (ISS) is the trusted security expert to
global enterprises and world governments, providing products and services
that protect against Internet threats. An established world leader
in security since 1994, ISS delivers proven cost efficiencies and
reduces regulatory and business risk across the enterprise for
more than 11,000 customers worldwide. ISS products and services
are based on the proactive security intelligence conducted by ISS’
X-Force® research and development team – the unequivocal world
authority in vulnerability and threat research. Headquartered
in Atlanta, Internet Security Systems has additional operations
throughout the Americas, Asia, Australia, Europe and the Middle East.

Copyright (c) 2005 Internet Security Systems, Inc. All rights reserved
worldwide.

This document is not to be edited or altered in any way without the
express written consent of Internet Security Systems, Inc. If you wish
to reprint the whole or any part of this document, please email

[email protected] for permission. You may provide links to this document
from your web site, and you may make copies of this document in
accordance with the fair use doctrine of the U.S. copyright laws.

Disclaimer: The information within this document may change without notice.
Use of this information constitutes acceptance for use in an AS IS
condition. There are NO warranties, implied or otherwise, with regard to
this information or its use. Any use of this information is at the
user's risk. In no event shall the author/distributor (Internet Security
Systems X-Force) be held liable for any damages whatsoever arising out
of or in connection with the use or spread of this information.

X-Force PGP Key available on MIT's PGP key server and PGP.com's key
server, as well as at http://www.iss.net/security_center/sensitive.php
Please send suggestions, updates, and comments to: X-Force

[email protected] of Internet Security Systems, Inc.