Re: Snort exploit in wild.

To: debian-security@lists.debian.org
Subject: Re: Snort exploit in wild.
From: Gian Piero Carrubba <gpcarrubba@fare-impresa.org>
Date: 25 Apr 2003 12:24:52 +0200
Message-id: <[🔎] 1051266290.31188.23.camel@king>
In-reply-to: <[🔎] 20030425091959.GA30980@server-01.lan.hexstream.eu.org>
References: <[🔎] 20030425091959.GA30980@server-01.lan.hexstream.eu.org>

Il ven, 2003-04-25 alle 11:19, David Ramsden ha scritto:

> Noticed on vil.mcafee.com that a proof of concept exploit for Snort to
> exploit the vuln. found in v1.8 through to 1.9.1.

up to 2.0rc1 as reported by cert

> What's the status of a patch from Debian Security? No DSA yet either.
> I know this has been brought up a few times already but now an exploit
> exists in the wild.

don't know if the debian package is affected, however it should

> As a workaround, I could disable snort (granted) but also, how can I use
> /etc/apt/preferences to update /just/ snort to a non-vuln. version from
> another branch (unstable/testing)? What line do I need in
> /etc/apt/sources.list? And how easy is it to downgrade to the stable
> version if something goes wrong or a patch is released from Debian?

don't do it... unstable/snort depends on a libc version not available in
stable, and maybe there are some other unresolved dependencies...
instead get the deb-src and try to recompile... i think it's not so
linear, but it should work... 

in the meantime (from the cert advisory):

> Disable affected preprocessor modules
>
> Sites  that  are  unable to immediately upgrade affected Snort sensors
> may  prevent  exploitation of this vulnerability by commenting out the
> affected preprocessor modules in the "snort.conf" configuration file.
> 
> To prevent exploitation of VU#139129, comment out the following line:
>
> preprocessor stream4_reassemble
>
> To prevent exploitation of VU#916785, comment out the following line:
>
> preprocessor rpc_decode: 111 32771
>
> After commenting out the affected modules, send a SIGHUP signal to the
> affected   Snort  process  to  update  the  configuration.  Note  that
> disabling these modules may have adverse affects on a sensor's ability
> to correctly process RPC record fragments and TCP packet fragments. In
> particular,  disabling  the "stream4" preprocessor module will prevent
> the Snort sensor from detecting a variety of IDS evasion attacks.

Regards,
Gian Piero.

PS: about the pinning question, please read the apt-howto

Reply to:

References:
- Snort exploit in wild.
  - From: David Ramsden <david@hexstream.eu.org>

Prev by Date: Re: Snort exploit in wild.
Next by Date: Re: Snort exploit in wild.
Previous by thread: Re: Snort exploit in wild.
Next by thread: Re: Snort exploit in wild.
Index(es):
- Date
- Thread