[ insider_reports_insider ]
Snort Vulnerable To Back Orifice Packets
David Utter
Staff Writer
2005-10-19
 Insider Reports RSS Feed
ISS X-Force has reported the Snort intrusion detection system is vulnerable to a stack-based overflow when parsing Back Orifice packets.
 | | Beware Of Unwanted Packets |  |
Versions of Snort from 2.4.0 on could be fully compromised when processing a single UDP packet. Once compromised, a Snort sensor would likely give the attacker full root or admin privileges. ISS noted that default installations of Snort possess the vulnerability.
"When determining the direction (to or from server) of a BO packet, a stack-based overflow can be triggered by an attacker," ISS said in its alert.
The alert about the issue with Snort's Back Orifice pre-processor notes how the UDP packet can bypass firewalls and enter a network by virtually any open port. All an attacker would have to do is to blast packets at a network. If a vulnerable Snort sensor picks up the packet, the exploit would be triggered.
"Due to the trivial nature of this vulnerability and its potential to bypass perimeter firewalls, there is grave concern that this issue might be exploited as part of a network-based worm. X-Force urges all affected users to upgrade immediately," the company said.
Sourcefire has already released version Snort 2.4.3 for users of the open source version. Users may be able to disable Snort's Back Orifice preprocessor by editing snort.conf and commenting out the relevant line:
# preprocessor bo
The US CERT team has also provided an alert about the vulnerability.
About the Author:
David Utter is a business and technology writer for SecurityProNews and WebProNews.
More insider_reports_insider Articles
Insider Reports RSS Feed
|
|
iEntry 10th Anniversary
RSS
Archive
