Internet Security Systems Security Advisory March 3, 2003 Snort RPC Preprocessing Vulnerability Synopsis: ISS X-Force has discovered a remotely exploitable buffer overflow condition in Snort. Snort is an open source intrusion detection system. A buffer overflow flaw exists in Snort RPC preprocessing code that is vulnerable to attack. Impact: Remote attackers may exploit the buffer overflow condition to run arbitrary code on a Snort sensor with the privileges of the Snort IDS process, which typically runs as the superuser. The vulnerable preprocessor is enabled by default. It is not necessary to establish an actual connection to a RPC portmapper service to exploit this vulnerability. Snort may be installed by default on some commercially available network- security appliances. Remote attackers can exploit this vulnerability by directing the exploit towards any host on any network monitored by the Snort intrusion detection system. A successful attack can either crash the Snort sensor, or lead to complete remote compromise. Affected Versions: Snort 1.8 (July 2001) up to and including Snort-Current (March 3, 2003 1pm ET) Description: Snort is an open source and freely available IDS product. In Snort 1.8, support was added to detect attacks that used RPC fragmentation as an IDS evasion technique. When processing fragmented RPC traffic, Snort does not properly check fragment sizes against the amount of space remaining in the preprocessing buffer, creating a buffer overflow condition that can lead to remote compromise of Snort sensors. Although the buffer overflow condition occurs in RPC preprocessing code, it is not necessary to establish an actual TCP connection to an RPC portmapper service to exploit this vulnerability. It is also not necessary to know the network location of a Snort sensor. Exploit packets can be sent to any portion of a network upon which a target Snort sensor is listening. All network IDS systems including Snort sensors are deployed such that they have access to critical networks. As a result, compromise of Snort sensors may lead to the disclosure of large volumes of network traffic potentially containing confidential information useful to further compromise internal networks. Protection mechanisms such as implementation of a non-executable stack do not offer any protection from exploitation of this vulnerability. Successful exploitation of this vulnerability does not generate any log entries. Recommendations: For Dynamic Threat Protection, Internet Security Systems recommends applying a Virtual Patch for the Snort vulnerability. Employ the following protection techniques through ISS Dynamic Threat Protection platform RealSecure Network Sensor XPU 20.10 and 5.9: RPC_Large_Fragmented - (http://www.iss.net/security_center/static/10956.php) For manual protection, Snort users may disable the RPC preprocessor. However, this workaround will degrade certain types of RPC-based detection. The vulnerable preprocessor can be disabled by commenting out the following line within the "snort.conf" configuration file: #preprocessor rpc_decode: 111 32771 Snort has provided the following information about availability of patches for inclusion in this advisory: Sourcefire has acquired additional bandwidth and hosting to aid users wishing to upgrade their Snort implementation. Binaries are not available at this time, this is a source release only. As new binaries become available they will be added to the site. http://www.snort.org/dl/snort-1.9.1.tar.gz GPG Signatures: http://www.snort.org/dl/snort-1.9.1.tar.gz.asc Vendor Notification Schedule: Initial vendor notification: 2/20/2003 Initial vendor confirmation: 2/21/2003 Final release schedule confirmation: 2/24/2003 ISS X-Force worked with Snort throughout the notification and release process. X-Force would like to thank Snort for their cooperation as well as the National Infrastructure Protection Center (NIPC) for coordinating this issue with elements of National critical infrastructure. Additional Information: The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2003-0033 to this issue. This is a candidate for inclusion in the CVE list http://cve.mitre.org), which standardizes names for security problems. Snort http://www.snort.org X-Force Database http://www.iss.net/security_center/static/10956.php For more information on ISS methodology and procedures involved in Security Advisory publication, please review the X-Force Vulnerability Disclosure Guidelines document: http://documents.iss.net/literature/vulnerability_guidelines.pdf Credit: This vulnerability was discovered and researched by Mark Dowd and Neel Mehta of the ISS X-Force. ______ About Internet Security Systems (ISS) Founded in 1994, Internet Security Systems (ISS) (Nasdaq: ISSX) is a pioneer and world leader in software and services that protect critical online resources from an ever-changing spectrum of threats and misuse. Internet Security Systems is headquartered in Atlanta, GA, with additional operations throughout the Americas, Asia, Australia, Europe and the Middle East. Copyright (c) 2003 Internet Security Systems, Inc. All rights reserved worldwide. This document is not to be edited or altered in any way without the express written consent of Internet Security Systems, Inc. If you wish to reprint the whole or any part of this document, please email xforce@iss.net for permission. You may provide links to this document from your web site, and you may make copies of this document in accordance with the fair use doctrine of the U.S. copyright laws. Disclaimer: The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information. X-Force PGP Key available on MIT's PGP key server and PGP.com's key server, as well as at http://www.iss.net/security_center/sensitive.php Please send suggestions, updates, and comments to: X-Force xforce@iss.net of Internet Security Systems, Inc.