CVE-2003-0033
CVSS10.0
发布时间 :2003-03-07 00:00:00
修订时间 :2016-10-17 22:28:38
NMCOS    

[原文]Buffer overflow in the RPC preprocessor for Snort 1.8 and 1.9.x before 1.9.1 allows remote attackers to execute arbitrary code via fragmented RPC packets.


[CNNVD]Snort RPC预处理器远程堆破坏漏洞(CNNVD-200303-034)

        
        Snort是一个开放源码的流行的网络入侵检测系统。
        Snort的网络探测器程序实现上存在一个缓冲区溢出漏洞,远程攻击者可能利用此漏洞此漏洞对Snort进程进行拒绝服务攻击或以root用户的权限在探测器主机上执行任意指令。
        在1.8版本以后Snort中加入了对利用RPC分片逃避检测的攻击进行检查的代码,当Snort RPC预处理器处理分片的网络流量时,程序在检查和重组RPC分片时使用了不正确的比较方法,这样就可能导致发生堆破坏,远程攻击者可能利用此漏洞通过向Snort探测器进程发送畸形的数据包对网络探测器进行拒绝服务攻击或以探测器进程的执行权限(通常是root)执行任意指令。由于通常探测器是混杂模式监听网段内的所有流量,所以攻击者无须知道探测器具体在哪也无须与探测器建立直接的连接就可以发起攻击。RPC预处理器默认情况下是打开的。
        

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:snort:snort:1.8.7Snort Snort 1.8.7
cpe:/a:snort:snort:1.8.6Snort Snort 1.8.6
cpe:/a:snort:snort:1.8.5Snort Snort 1.8.5
cpe:/a:snort:snort:1.8.4Snort Snort 1.8.4
cpe:/a:snort:snort:1.8.3Snort Snort 1.8.3
cpe:/a:snort:snort:1.8.2Snort Snort 1.8.2
cpe:/a:snort:snort:1.8.1Snort Snort 1.8.1
cpe:/a:snort:snort:1.9.0Snort Snort 1.9.0
cpe:/a:snort:snort:1.8.0Snort Snort 1.8.0

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0033
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0033
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200303-034
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=104673386226064&w=2
(UNKNOWN)  BUGTRAQ  20030303 Snort RPC Vulnerability (fwd)
http://marc.info/?l=bugtraq&m=104716001503409&w=2
(UNKNOWN)  GENTOO  GLSA-200303-6.1
http://marc.info/?l=bugtraq&m=105154530427824&w=2
(UNKNOWN)  GENTOO  GLSA-200304-06
http://www.cert.org/advisories/CA-2003-13.html
(UNKNOWN)  CERT  CA-2003-13
http://www.debian.org/security/2003/dsa-297
(UNKNOWN)  DEBIAN  DSA-297
http://www.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21951
(VENDOR_ADVISORY)  ISS  20030303 Snort RPC Preprocessing Vulnerability
http://www.iss.net/security_center/static/10956.php
(VENDOR_ADVISORY)  XF  snort-rpc-fragment-bo(10956)
http://www.kb.cert.org/vuls/id/916785
(VENDOR_ADVISORY)  CERT-VN  VU#916785
http://www.linuxsecurity.com/advisories/engarde_advisory-2944.html
(UNKNOWN)  ENGARDE  ESA-20030307-007
http://www.mandrakesoft.com/security/advisories?name=MDKSA-2003:029
(UNKNOWN)  MANDRAKE  MDKSA-2003:029
http://www.securityfocus.com/bid/6963
(VENDOR_ADVISORY)  BID  6963

- 漏洞信息

Snort RPC预处理器远程堆破坏漏洞
危急 边界条件错误
2003-03-07 00:00:00 2005-05-13 00:00:00
远程  
        
        Snort是一个开放源码的流行的网络入侵检测系统。
        Snort的网络探测器程序实现上存在一个缓冲区溢出漏洞,远程攻击者可能利用此漏洞此漏洞对Snort进程进行拒绝服务攻击或以root用户的权限在探测器主机上执行任意指令。
        在1.8版本以后Snort中加入了对利用RPC分片逃避检测的攻击进行检查的代码,当Snort RPC预处理器处理分片的网络流量时,程序在检查和重组RPC分片时使用了不正确的比较方法,这样就可能导致发生堆破坏,远程攻击者可能利用此漏洞通过向Snort探测器进程发送畸形的数据包对网络探测器进行拒绝服务攻击或以探测器进程的执行权限(通常是root)执行任意指令。由于通常探测器是混杂模式监听网段内的所有流量,所以攻击者无须知道探测器具体在哪也无须与探测器建立直接的连接就可以发起攻击。RPC预处理器默认情况下是打开的。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 关闭RPC预处理器的使用。
        在snort.conf文件中找到如下的行:
        preprocessor rpc_decode
        代替为
        # preprocessor rpc_decode
        重启Snort探测器。
        厂商补丁:
        MandrakeSoft
        ------------
        MandrakeSoft已经为此发布了一个安全公告(MDKSA-2003:029)以及相应补丁:
        MDKSA-2003:029:Updated snort packages fix buffer overflow vulnerability
        链接:
        http://www.linux-mandrake.com/en/security/2003/2003-029.php

        补丁下载:
        Updated Packages:
        Corporate Server 2.1:
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/corporate/2.1/RPMS/snort-1.9.1-0.5mdk.i586.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/corporate/2.1/RPMS/snort-bloat-1.9.1-0.5mdk.i586.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/corporate/2.1/RPMS/snort-mysql+flexresp-1.9.1-0.5mdk.i586.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/corporate/2.1/RPMS/snort-mysql-1.9.1-0.5mdk.i586.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/corporate/2.1/RPMS/snort-plain+flexresp-1.9.1-0.5mdk.i586.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/corporate/2.1/RPMS/snort-postgresql+flexresp-1.9.1-0.5mdk.i586.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/corporate/2.1/RPMS/snort-postgresql-1.9.1-0.5mdk.i586.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/corporate/2.1/RPMS/snort-snmp+flexresp-1.9.1-0.5mdk.i586.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/corporate/2.1/RPMS/snort-snmp-1.9.1-0.5mdk.i586.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/corporate/2.1/SRPMS/snort-1.9.1-0.5mdk.src.rpm
        Mandrake Linux 8.2:
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/8.2/RPMS/snort-1.9.1-0.5mdk.i586.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/8.2/RPMS/snort-bloat-1.9.1-0.5mdk.i586.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/8.2/RPMS/snort-mysql+flexresp-1.9.1-0.5mdk.i586.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/8.2/RPMS/snort-mysql-1.9.1-0.5mdk.i586.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/8.2/RPMS/snort-plain+flexresp-1.9.1-0.5mdk.i586.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/8.2/RPMS/snort-postgresql+flexresp-1.9.1-0.5mdk.i586.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/8.2/RPMS/snort-postgresql-1.9.1-0.5mdk.i586.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/8.2/RPMS/snort-snmp+flexresp-1.9.1-0.5mdk.i586.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/8.2/RPMS/snort-snmp-1.9.1-0.5mdk.i586.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/8.2/SRPMS/snort-1.9.1-0.5mdk.src.rpm
        Mandrake Linux 8.2/PPC:
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/8.2/RPMS/snort-1.9.1-0.5mdk.ppc.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/8.2/RPMS/snort-bloat-1.9.1-0.5mdk.ppc.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/8.2/RPMS/snort-mysql+flexresp-1.9.1-0.5mdk.ppc.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/8.2/RPMS/snort-mysql-1.9.1-0.5mdk.ppc.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/8.2/RPMS/snort-plain+flexresp-1.9.1-0.5mdk.ppc.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/8.2/RPMS/snort-postgresql+flexresp-1.9.1-0.5mdk.ppc.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/8.2/RPMS/snort-postgresql-1.9.1-0.5mdk.ppc.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/8.2/RPMS/snort-snmp+flexresp-1.9.1-0.5mdk.ppc.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/8.2/RPMS/snort-snmp-1.9.1-0.5mdk.ppc.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/8.2/SRPMS/snort-1.9.1-0.5mdk.src.rpm
        Mandrake Linux 9.0:
        

- 漏洞信息

4418
Snort RPC Decode Module Overflow
Remote / Network Access Denial of Service, Input Manipulation
Loss of Integrity, Loss of Availability Workaround, Upgrade
Vendor Verified

- 漏洞描述

Snort contains a flaw that may allow a remote attacker to execute arbitrary code. The issue is due to a flaw in the Remote Procedure Call (RPC) preprocessor. If an attacker sends fragmented RPC traffic to a system running Snort, they may be able to overflow the buffer and crash the IDS or execute arbitrary code with the same privileges as the IDS.

- 时间线

2003-03-03 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 2.0 or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workaround: disable the rpc_decode preprocessor edit snort.conf, replace any lines that begin with "preprocessor rpc_decode" with "preprocessor rpc_decode"

- 相关参考

- 漏洞作者

- 漏洞信息

Snort RPC Preprocessor Fragment Reassembly Buffer Overflow Vulnerability
Boundary Condition Error 6963
Yes No
2003-03-03 12:00:00 2009-07-11 08:06:00
Discovered by ISS X-Force.

- 受影响的程序版本

Snort Project Snort 1.9
+ Gentoo Linux 1.4 _rc3
+ Gentoo Linux 1.4 _rc2
Snort Project Snort 1.8.7
Snort Project Snort 1.8.6
Snort Project Snort 1.8.5
Snort Project Snort 1.8.4 beta1
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ Debian Linux 3.0
Snort Project Snort 1.8.4
Snort Project Snort 1.8.3
Snort Project Snort 1.8.2
Snort Project Snort 1.8.1
Snort Project Snort 1.8
+ Conectiva Linux 8.0
SmoothWall SmoothWall 2.0 beta 4
SmoothWall SmoothWall 1.0
Snort Project Snort 1.9.1
+ MandrakeSoft Corporate Server 2.1
+ MandrakeSoft Multi Network Firewall 2.0
+ Mandriva Linux Mandrake 9.1 ppc
+ Mandriva Linux Mandrake 9.1
+ Mandriva Linux Mandrake 9.0
+ Mandriva Linux Mandrake 8.2 ppc
+ Mandriva Linux Mandrake 8.2

- 不受影响的程序版本

Snort Project Snort 1.9.1
+ MandrakeSoft Corporate Server 2.1
+ MandrakeSoft Multi Network Firewall 2.0
+ Mandriva Linux Mandrake 9.1 ppc
+ Mandriva Linux Mandrake 9.1
+ Mandriva Linux Mandrake 9.0
+ Mandriva Linux Mandrake 8.2 ppc
+ Mandriva Linux Mandrake 8.2

- 漏洞讨论

A vulnerability in the Snort network IDS has been discovered that may allow for remote attackers to compromise hosts using the system. The vulnerability is due to a programmatic flaw in the RPC preprocessor. This preprocessor is enabled by default. Successful attacks may result in the execution of instructions on the IDS system with root privileges.

- 漏洞利用

Currently we are not aware of any publicly available exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 解决方案

Administrators are advised to upgrade vulnerable installations of Snort. A fix has been committed to the CVS tree and is available at the following location:

http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/snort/snort/src/preprocessors/spp_rpc_decode.c

Gentoo Linux has released an advisory. Users who have installed net-analyzer/snort are advised to upgrade to snort-1.9.1 by issuing the following commands:

emerge sync
emerge -u snort
emerge clean

Mandrake has released a security advisory (MDKSA-2003:029) which contains fixes.

EnGarde Secure Linux has released a security advisory. Information about obtaining and applying the patches are available in the referenced advisory.

Sorcerer Linux has released an advisory. Users are advised to upgrade systems by issuing the following commands:

augur synch && augur update

SmoothWall has released 'fixes2' for SmoothWall 1.0-final systems. Users who are using SmoothWall 0.99 systems are advised to upgrade to SmoothWall 1.0-final. Fixes are also available for SmoothWall 2.0b4-mallard systems. Further information is available in the referenced message.

Conectiva has released a security advisory (CLA-2003:613) which contains fixes for this issue. Users are advised to upgrade their Snort packages as soon as possible.

While NetBSD does not include Snort by default, Snort is available through pkgsrc. NetBSD users who have installed Snort packages should use pkgsrc/security/audit-packages to apply upgrades.

Debian has released a security advisory (DSA 297-1) containing fixes which address this issue. Users are advised to upgrade as soon as possible.

Fixes available:


SmoothWall SmoothWall 1.0

Snort Project Snort 1.8

Snort Project Snort 1.8.1

Snort Project Snort 1.8.2

Snort Project Snort 1.8.3

Snort Project Snort 1.8.4 beta1

Snort Project Snort 1.8.4

Snort Project Snort 1.8.5

Snort Project Snort 1.8.6

Snort Project Snort 1.8.7

Snort Project Snort 1.9

SmoothWall SmoothWall 2.0 beta 4

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站