Read about the latest developments
in security every month in Security Watch
Multiple Vulnerabilities in
There are two vulnerabilities
in the Snort Intrusion Detection System, each in a separate
preprocessor module. Both vulnerabilities allow remote
attackers to execute arbitrary code with the privileges
of the user running Snort, typically root.
The Snort intrusion detection
system ships with a variety of preprocessor modules
that allow the user to selectively include additional
functionality. Researchers from two independent organizations
have discovered vulnerabilities in two of these modules,
the RPC preprocessor and the "stream4" TCP fragment
The first one is a heap overflow
in Snort "stream4" preprocessor. Researchers at CORE
Security Technologies have discovered a remotely exploitable
heap overflow in the Snort "stream4" preprocessor module.
This module allows Snort to reassemble TCP packet fragments
for further analysis.
To exploit this vulnerability,
an attacker must disrupt the state tracking mechanism
of the preprocessor module by sending a series of packets
with crafted sequence numbers. This causes the module
to bypass a check for buffer overflow attempts and allows
the attacker to insert arbitrary code into the heap.
The second one is a buffer overflow
in Snort RPC preprocessor. Researchers at Internet Security
Systems (ISS) have discovered a remotely exploitable
buffer overflow in the Snort RPC preprocessor module.
Martin Roesch, primary developer for Snort, described
the vulnerability as follows:
When the RPC decoder normalizes
fragmented RPC records, it incorrectly checks the lengths
of what is being normalized against the current packet
size, leading to an overflow condition. The RPC preprocessor
is enabled by default.
The heap overflow in the Snort
"stream4" preprocessor module affects Snort versions
1.8.x, 1.9.x, and 2.0 prior to RC1, including Snort
Buffer overflow in the Snort
RPC preprocessor affects Snort versions 1.8.x through
1.9.0 and 2.0 Beta. Snort version 1.9.1 is not affected.
Both the vulnerabilities allow
remote attackers to execute arbitrary code with the
privileges of the user running Snort, typically root.
Please note that it is not necessary for the attacker
to know the IP address of the Snort device they wish
to attack; merely sending malicious traffic where it
can be observed by an affected Snort
sensor is sufficient to exploit these vulnerabilities.
The ways of protection from
these vulnerabilities are:
- Upgrade to Snort 2.0
- Disable affected preprocessor
- Block outbound packets from
Snort IDS systems
Integer overflow in Sun RPC
XDR library routines
There is an integer overflow
in the xdrmem_getbytes() function distributed as part
of the Sun Microsystems XDR library. This overflow can
cause remotely exploitable buffer overflows in multiple
applications, leading to the execution of arbitrary
code. Although the library was originally distributed
by Sun Microsystems, multiple vendors have included
the vulnerable code in their own implementations.
XDR (external data representation)
libraries are used to provide platform-independent methods
for sending data from one system process to another,
typically over a network connection. Such routines are
commonly used in remote procedure call (RPC) implementations
to provide transparency to application programmers who
need to use common interfaces to interact with many
different types of systems. The xdrmem_getbytes() function
contains an integer overflow that can lead to improperly
sized dynamic memory allocation. Depending on how and
where the vulnerable xdrmem_getbytes() function is used,
problems like buffer overflows
Since SunRPC-derived XDR libraries
are used by a variety of vendors in a variety of applications,
this defect may lead to a number of security problems.
Exploiting this vulnerability will lead to denial of
service, execution of arbitrary code, or the disclosure
of sensitive information.
Specific impacts reported include
the ability to crash the rpcbind service and possibly
execute arbitrary code with root privileges. In addition,
intruders may be able to crash the MIT KRB5 kadmind
or cause it to leak sensitive information, such as secret
Apply the appropriate patch
or upgrade as specified by your vendor.
XDR libraries can be used by
multiple applications on most systems. It may be necessary
to upgrade or apply multiple patches and then recompile
statically linked applications.
Applications that are statically
linked must be recompiled using patched libraries. Applications
that are dynamically linked do not
need to be recompiled; however, running services need
restarted in order to use the patched libraries.
System administrators should
consider the following process when addressing this
- Patch or obtain updated XDR/RPC
- Restart any dynamically
linked services that make use of the XDR/RPC libraries.
- Recompile any statically
linked applications using the patched or updated XDR/RPC
Until patches are available
and can be applied, access to services or applications
compiled with the vulnerable xdrmem_getbytes() function
should be desirably disabled.
Samba contains multiple buffer
Samba contains several buffer
overflow vulnerabilities. At least one of these vulnerabilities
could allow an anonymous, remote attacker to execute
arbitrary code or cause a denial of service.
Samba is a widely used open-source
implementation of Server Message Block (SMB)/Common
Internet File System (CIFS). Samba-TNG is a forked development
branch of Samba. SMB/CIFS is used in Microsoft Windows
to provide file and print services. Samba versions prior
to 2.2.8a and Samba-TNG versions prior to 0.3.2 contain
several buffer overflow vulnerabilities.
A stack overflow in the function
trans2open() (in trans2.c) and an exploit for this vulnerability
has been publicly released.
After the trans2open() issue
was reported , the Samba Team discovered and fixed several
other buffer overflow vulnerabilities (in statcache.c,
reply.c, and password.c).
An unauthenticated, remote attacker
could execute arbitrary code or cause a denial of service.
The Samba daemon (smbd) runs with root privileges, so
an attacker could gain complete control of a vulnerable
Patch or Upgrade
Upgrade or apply a patch as
specified by your vendor.
Upgrade or patch to Samba 2.2.8a
or Samba-TNG 0.3.2.
Block or Restrict Access
Block or restrict access to
Samba services from untrusted networks such as the Internet.
The Samba Team announcement for version 2.2.8 contains
excellent recommendations for restricting access to