----- Forwarded message from Marcel Weber <mmweber@ncpro.com> ----- From: Marcel Weber <mmweber@ncpro.com> To: David Ramsden <david@hexstream.eu.org> Cc: debian-security@lists.debian.org Subject: Re: Snort exploit in wild. X-Virus-Scanned: by AMaViS and OpenAntivirus ScannerDaemon X-Spam-Status: No, hits=-4.4 required=5.0 tests=IN_REP_TO version=2.20 X-Spam-Level: David Ramsden wrote: >Hi, > >Noticed on vil.mcafee.com that a proof of concept exploit for Snort to >exploit the vuln. found in v1.8 through to 1.9.1. > >Packet Storm Security have this proof of concept on their site (local >exploit at the moment). >It uses a call-back technique to spawn a shell on the attackers machine, >via a connection from the compromised machine. >I've not tried this on my Debian machines yet, so can't say if it works >- You'd need the return address for Debian as only Slackware is support >in this proof of concept. > >What's the status of a patch from Debian Security? No DSA yet either. >I know this has been brought up a few times already but now an exploit >exists in the wild. > >As a workaround, I could disable snort (granted) but also, how can I use >/etc/apt/preferences to update /just/ snort to a non-vuln. version from >another branch (unstable/testing)? What line do I need in >/etc/apt/sources.list? And how easy is it to downgrade to the stable >version if something goes wrong or a patch is released from Debian? > >Thanks for all the help and regards, >David. Hi Following the advice from heise.de [1] it should be enough to comment out the line: preprocessor stream4_reassemble in your /etc/snort/snort.conf as the vulnerability is in this module. Of course you will loose some information. But saver is better ;-) Regards Marcel [1] (http://www.heise.de/newsticker/result.xhtml?url=/newsticker/data/pab-16.04.03-000/default.shtml&words=Snort) ----- End forwarded message ----- -- .''`. David Ramsden <david@hexstream.eu.org> : :' : http://portal.hexstream.eu.org/ `. `'` PGP key ID: 507B379B on wwwkeys.pgp.net `- Debian - when you have better things to do than to fix a system.
Attachment:
pgpPCv5JRmJSd.pgp
Description: PGP signature