Archives ||About Us || Advertise || Feedback || Subscribe-
Issue of July 2003 
 Home > Security
 Print Friendly Page ||  Email this story

Security watch

Read about the latest developments in security every month in Security Watch

Multiple Vulnerabilities in Snort Preprocessors

There are two vulnerabilities in the Snort Intrusion Detection System, each in a separate preprocessor module. Both vulnerabilities allow remote attackers to execute arbitrary code with the privileges of the user running Snort, typically root.


The Snort intrusion detection system ships with a variety of preprocessor modules that allow the user to selectively include additional functionality. Researchers from two independent organizations have discovered vulnerabilities in two of these modules, the RPC preprocessor and the "stream4" TCP fragment re-assembly preprocessor.

The first one is a heap overflow in Snort "stream4" preprocessor. Researchers at CORE Security Technologies have discovered a remotely exploitable heap overflow in the Snort "stream4" preprocessor module. This module allows Snort to reassemble TCP packet fragments for further analysis.

To exploit this vulnerability, an attacker must disrupt the state tracking mechanism of the preprocessor module by sending a series of packets with crafted sequence numbers. This causes the module to bypass a check for buffer overflow attempts and allows the attacker to insert arbitrary code into the heap.

The second one is a buffer overflow in Snort RPC preprocessor. Researchers at Internet Security Systems (ISS) have discovered a remotely exploitable buffer overflow in the Snort RPC preprocessor module. Martin Roesch, primary developer for Snort, described the vulnerability as follows:

When the RPC decoder normalizes fragmented RPC records, it incorrectly checks the lengths of what is being normalized against the current packet size, leading to an overflow condition. The RPC preprocessor is enabled by default.

Systems affected

The heap overflow in the Snort "stream4" preprocessor module affects Snort versions 1.8.x, 1.9.x, and 2.0 prior to RC1, including Snort 1.9.1.

Buffer overflow in the Snort RPC preprocessor affects Snort versions 1.8.x through 1.9.0 and 2.0 Beta. Snort version 1.9.1 is not affected.


Both the vulnerabilities allow remote attackers to execute arbitrary code with the privileges of the user running Snort, typically root. Please note that it is not necessary for the attacker to know the IP address of the Snort device they wish to attack; merely sending malicious traffic where it can be observed by an affected Snort
sensor is sufficient to exploit these vulnerabilities.


The ways of protection from these vulnerabilities are:

  • Upgrade to Snort 2.0
  • Disable affected preprocessor modules
  • Block outbound packets from Snort IDS systems

Integer overflow in Sun RPC XDR library routines

There is an integer overflow in the xdrmem_getbytes() function distributed as part of the Sun Microsystems XDR library. This overflow can cause remotely exploitable buffer overflows in multiple applications, leading to the execution of arbitrary code. Although the library was originally distributed by Sun Microsystems, multiple vendors have included
the vulnerable code in their own implementations.


XDR (external data representation) libraries are used to provide platform-independent methods for sending data from one system process to another, typically over a network connection. Such routines are commonly used in remote procedure call (RPC) implementations to provide transparency to application programmers who need to use common interfaces to interact with many different types of systems. The xdrmem_getbytes() function contains an integer overflow that can lead to improperly sized dynamic memory allocation. Depending on how and where the vulnerable xdrmem_getbytes() function is used, subsequent
problems like buffer overflows
may result.


Since SunRPC-derived XDR libraries are used by a variety of vendors in a variety of applications, this defect may lead to a number of security problems. Exploiting this vulnerability will lead to denial of service, execution of arbitrary code, or the disclosure of sensitive information.

Specific impacts reported include the ability to crash the rpcbind service and possibly execute arbitrary code with root privileges. In addition, intruders may be able to crash the MIT KRB5 kadmind or cause it to leak sensitive information, such as secret keys.


Apply the appropriate patch or upgrade as specified by your vendor.

XDR libraries can be used by multiple applications on most systems. It may be necessary to upgrade or apply multiple patches and then recompile statically linked applications.

Applications that are statically linked must be recompiled using patched libraries. Applications that are dynamically linked do not
need to be recompiled; however, running services need to be
restarted in order to use the patched libraries.

System administrators should consider the following process when addressing this issue:

  • Patch or obtain updated XDR/RPC libraries.
  • Restart any dynamically linked services that make use of the XDR/RPC libraries.
  • Recompile any statically linked applications using the patched or updated XDR/RPC libraries.

Until patches are available and can be applied, access to services or applications compiled with the vulnerable xdrmem_getbytes() function should be desirably disabled.

Samba contains multiple buffer overflows

Samba contains several buffer overflow vulnerabilities. At least one of these vulnerabilities could allow an anonymous, remote attacker to execute arbitrary code or cause a denial of service.


Samba is a widely used open-source implementation of Server Message Block (SMB)/Common Internet File System (CIFS). Samba-TNG is a forked development branch of Samba. SMB/CIFS is used in Microsoft Windows to provide file and print services. Samba versions prior to 2.2.8a and Samba-TNG versions prior to 0.3.2 contain several buffer overflow vulnerabilities.

A stack overflow in the function trans2open() (in trans2.c) and an exploit for this vulnerability has been publicly released.

After the trans2open() issue was reported , the Samba Team discovered and fixed several other buffer overflow vulnerabilities (in statcache.c, reply.c, and password.c).


An unauthenticated, remote attacker could execute arbitrary code or cause a denial of service. The Samba daemon (smbd) runs with root privileges, so an attacker could gain complete control of a vulnerable system.


Patch or Upgrade

Upgrade or apply a patch as specified by your vendor.

Upgrade or patch to Samba 2.2.8a or Samba-TNG 0.3.2.

Block or Restrict Access

Block or restrict access to Samba services from untrusted networks such as the Internet. The Samba Team announcement for version 2.2.8 contains excellent recommendations for restricting access to Samba servers.

- <Back to Top>-  

Copyright 2001: Indian Express Newspapers (Bombay) Limited (Mumbai, India). All rights reserved throughout the world.
This entire site is compiled in Mumbai by the Business Publications Division (BPD) of the Indian Express Newspapers (Bombay) Limited. Site managed by BPD.