Lock IT Down: Snort flaw opens the door to intruders

Learn how to mitigate a heap overflow vulnerability in Snorts preprocessor.

The Snort intrusion-detection system (IDS) is supposed to help administrators keep intruders at bay, but a recently discovered vulnerability (CERT advisory CA-2003-13, “Multiple Vulnerabilities in Snort Preprocessors”) could actually open up network access to attackers.

Snort is a widely used, open source, lightweight IP network IDS that can perform real-time traffic analysis and packet logging. It was recently discovered that two modules in later versions of Snort each contain a different vulnerability.

This advisory is significant because Snort is so popular and because either vulnerability will allow an attacker to run arbitrary code on the at-risk system. Since the user level for running Snort is normally superuser (root), any penetration could give the attacker considerable access to the affected system.

The first problem is a heap overflow vulnerability in the Snort stream4 preprocessor. The vulnerability, designated VU#139129, was discovered by Core Security Technologies. It has posted a page with technical details explaining what it found. Stream4 is the plug-in that reassembles TCP traffic before forwarding it for analysis. Exploit proof-of-concept code is posted on the Core Security Technologies site. The people at have acknowledged this vulnerability and posted their own report.

At about the same time, Internet Security Systems discovered and reported a buffer overflow problem in the Snort RPC preprocessor. The problem has been designated VU#916785. See the ISS X-Force advisory for more details on this threat, which appeared in version 1.8 because that version added RPC fragmentation detection. According to ISS, an attacker only needs to send the specially formed packets to any portion of the network to initiate the attack. Having a nonexecutable stack doesn’t protect against this threat.

Although there are two separate vulnerabilities, they mostly involve the same versions. Snort versions 1.8.x, 1.9.x, and 2.0 prior to release candidate 1 are all affected by VU#139129, a heap overflow in stream4. Snort versions 1.8.x through 1.9.0 and 2.0 beta are subject to VU#916785, a buffer overflow in RPC.

Risk level—serious
This flaw could allow an attacker to remotely execute arbitrary code with root privileges on a Snort system.

Both of these module vulnerabilities are addressed in the final version 2.0 of Snort, which is available for download from the site. Cert has provided an emergency workaround for those who can’t immediately update Snort:

Go to the snort.conf configuration file. To prevent exploitation of VU#139129, comment out the following line:
preprocessor stream4_reassemble

To prevent exploitation of VU#916785, comment out the following line:
preprocessor rpc_decode: 111 32771

Finally, send a SIGHUP signal to the affected Snort process to update the configuration. According to CERT, blocking all outbound traffic from the Snort sensor will provide some degree of protection until the update can be installed.

Final word
Any network that includes a Snort IDS needs to immediately upgrade to version 2.0. If it's going to take awhile, you should implement the workaround as soon as possible.

Debate the Locksmith
If you'd like an opportunity to debate security topics with me in person (don’t expect too much; I’m really a pleasant guy), look me up at the SummerCon2003 security convention in Pittsburgh on June 6-8. I’m scheduled to speak on several topics on June 7 and should be hanging around most of the day.

Editor's Picks