Sourcefire Snort DCE/RPC Preprocessor Buffer Overflow
- Snort 2.6.1, 220.127.116.11, and 18.104.22.168
- Snort 2.7.0 beta 1
- Sourcefire Intrusion Sensors version 4.1.x, 4.5.x, and 4.6x with SEUs prior to SEU 64
- Sourcefire Intrusion Sensors for Crossbeam version 4.1.x, 4.5.x, and 4.6x with SEUs prior to SEU 64
A stack buffer overflow vulnerability in the Sourcefire Snort DCE/RPC preprocessor could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the Snort process.
Sourcefire Snort is a widely-deployed, open-source network intrusion detection system (IDS). Snort and its components are used in other IDS products, notably Sourcefire, and Snort is included with a number of operating system distributions. The DCE/RPC preprocessor reassembles fragmented SMB and DCE/RPC traffic before passing data to the Snort rules.
The vulnerable code does not properly reassemble certain types of SMB and DCE/RPC packets. An attacker could exploit this vulnerability by sending a specially crafted TCP packet to a host or network monitored by Snort. The DCE/RPC preprocessor is enabled by default, and it is not necessary for an attacker to complete a TCP handshake.
A remote, unauthenticated attacker may be able to execute arbitrary code with the privilege level of the Snort preprocessor.
Disable the DCE/RPC Preprocessor
To disable the DCE/RPC preprocessor, comment out the line that loads the preprocessor in the Snort configuration file (typically /etc/snort.conf on UNIX and Linux systems):
Disabling the preprocessor will prevent Snort from reassembling fragmented SMB and DCE/RPC packets. This may allow attacks to evade the IDS.
- US-CERT Vulnerability Note VU#196240 - http://www.kb.cert.org/vuls/id/196240
- Sourcefire Advisory 2007-02-19 - http://www.snort.org/docs/advisory-2007-02-19.html
- Sourcefire Support Login - https://support.sourcefire.com/
- Sourcefire Snort Release Notes for 22.214.171.124 - http://www.snort.org/docs/release_notes/release_notes_2613.txt
- Snort downloads - http://www.snort.org/dl/
- DCE/RPC Preprocessor - http://www.snort.org/docs/snort_htmanuals/htmanual_261/node104.html
- IBM Internet Security Systems Protection Advisory - http://iss.net/threats/257.html
- CVE-2006-5276 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2006-5276
February 19, 2007: Initial release