U.S. Flag Official website of the Department of Homeland Security

Note: This page is part of the us-cert.gov archive.This document is part of the US-CERT website archive. These documents are no longer updated and may contain outdated information. Links may also no longer function. Please contact info@us-cert.gov if you have any questions about the US-CERT website archive.

TLP:WHITE

Alert (TA05-291A)

Snort Back Orifice Preprocessor Buffer Overflow

Original release date: October 18, 2005 | Last revised: October 19, 2005

Systems Affected

  • Snort versions 2.4.0 to 2.4.2
  • Sourcefire Intrusion Sensors
Other products that use Snort or Snort components may be affected.

Overview

The Snort Back Orifice preprocessor contains a buffer overflow that could allow a remote attacker to execute arbitrary code on a vulnerable system.


Description

Snort is a widely-deployed, open-source network intrusion detection system (IDS). Snort and its components are used in other IDS products, notably Sourcefire Intrusion Sensors, and Snort is included with a number of operating system distributions.

Snort preprocessors are modular plugins that extend functionality by operating on packets before the detection engine is run. The Back Orifice preprocessor decodes packets to determine if they contain Back Orifice ping messages. The ping detection code does not adequately limit the amount of data that is read from the packet into a fixed-length buffer, thus creating the potential for a buffer overflow.

The vulnerable code will process any UDP packet that is not destined to or sourced from the default Back Orifice port (31337/udp). An attacker could exploit this vulnerability by sending a specially crafted UDP packet to a host or network monitored by Snort.

US-CERT is tracking this vulnerability as VU#175500. This vulnerability has been assigned CVE number CAN-2005-3252. Further information is available in an advisory from Internet Security Systems (ISS).


Impact

A remote attacker who can send UDP packets to a Snort sensor may be able to execute arbitrary code. Snort typically runs with root or SYSTEM privileges, so an attacker could take complete control of a vulnerable system. An attacker does not need to target a Snort sensor directly; the attacker can target any host or network monitored by Snort.


Solution

Upgrade

Sourcefire has released Snort 2.4.3 which is available from the Snort download site. For information about other vendors, please see the Systems Affected section of VU#175500.

Disable Back Orifice Preprocessor

To disable the Back Orifice preprocessor, comment out the line that loads the preprocessor in the Snort configuration file (typically /etc/snort.conf on UNIX and Linux systems):


[/etc/snort.conf]

...
#preprocessor bo
...

Restart Snort for the change to take effect.

Restrict Outbound Traffic

Consider preventing Snort sensors from initiating outbound connections and restricting outbound traffic to only those hosts and networks that have legitimate requirements to communicate with the sensors. While this will not prevent exploitation of the vulnerability, it may make it more difficult for an attacker to access a compromised system or reconnoiter other systems.


Appendix A. References

  • US-CERT Vulnerability Note VU#175500 - http://www.kb.cert.org/vuls/id/177500>
  • Fixes and Mitigation Instructions Available for Snort Back Orifice Vulnerability - http://www.snort.org/pub-bin/snortnews.cgi#99>
  • Snort downloads - http://www.snort.org/dl/>
  • Snort 2.4.3 Changelog - http://www.snort.org/docs/change_logs/2.4.3/Changelog.txt>
  • Preprocessors - http://www.snort.org/docs/snort_htmanuals/htmanual_2.4/node11.html
    #SECTION00310000000000000000>
  • Snort Back Orifice Parsing Remote Code Execution - http://xforce.iss.net/xforce/alerts/id/207>
  • CAN-2005-3252 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3252>

This vulnerability was researched and reported by Internet Security Systems (ISS).

Feedback can be directed to US-CERT Technical Staff.

Revision History

  • Oct 18, 2005: Initial release
    Oct 19, 2005: Added CVE reference

    Last updated

This product is provided subject to this Notification and this Privacy & Use policy.

Was this document helpful?  Yes  |  Somewhat  |  No

Back to Top