[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Snort exploit in wild.


Noticed on vil.mcafee.com that a proof of concept exploit for Snort to
exploit the vuln. found in v1.8 through to 1.9.1.

Packet Storm Security have this proof of concept on their site (local
exploit at the moment).
It uses a call-back technique to spawn a shell on the attackers machine,
via a connection from the compromised machine.
I've not tried this on my Debian machines yet, so can't say if it works
- You'd need the return address for Debian as only Slackware is support
in this proof of concept.

What's the status of a patch from Debian Security? No DSA yet either.
I know this has been brought up a few times already but now an exploit
exists in the wild.

As a workaround, I could disable snort (granted) but also, how can I use
/etc/apt/preferences to update /just/ snort to a non-vuln. version from
another branch (unstable/testing)? What line do I need in
/etc/apt/sources.list? And how easy is it to downgrade to the stable
version if something goes wrong or a patch is released from Debian?

Thanks for all the help and regards,
 .''`.     David Ramsden <david@hexstream.eu.org>
: :'  :    http://portal.hexstream.eu.org/
`. `'`     PGP key ID: 507B379B on wwwkeys.pgp.net
  `-  Debian - when you have better things to do than to fix a system.

Attachment: pgpxAYz0nGWPD.pgp
Description: PGP signature

Reply to: