ID

VAR-200607-0506

CVE

CVE-2006-3734

TITLE

Snort Back Orifice preprocessor buffer overflow

DESCRIPTION

Multiple unspecified vulnerabilities in the Command Line Interface (CLI) for Cisco Security Monitoring, Analysis and Response System (CS-MARS) before 4.2.1, allow local CS-MARS administrators to execute arbitrary commands as root. A buffer overflow exists in the Snort Back Orifice preprocessor that may allow a remote, unauthenticated attacker to execute arbitrary code, possibly with elevated privileges. This may facilitate a remote compromise of affected computers. Cisco has released version 4.2.1 to address these issues; prior versions are reported vulnerable. Snort is susceptible to a remote buffer overflow vulnerability. This issue is due to a failure of the application to securely copy network-derived data into sensitive process buffers. The specific issue exists in the Back Orifice preprocessor. This may facilitate unauthorized access or privilege escalation. Due to the nature of this issue, attackers may exploit it by sending a single UDP packet with a potentially spoofed source address to an arbitrary destination address and port. As long as the application can sniff the packet, it may be exploited. These aspects of this issue may aid attackers in bypassing firewalls in order to compromise a wider number of computers. Reportedly, this issue is difficult to reliably exploit across differing operating systems and compiler versions. Failed exploit attempts likely result in crashing the application, thereby disabling detection of other attacks. Snort versions 2.4.0 through 2.4.2 are affected by this issue. Other versions may also be affected, but this has not been confirmed. The CS-MARS CLI is a restricted shell environment that allows authenticated administrators to perform system maintenance tasks. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA05-291A Snort Back Orifice Preprocessor Buffer Overflow Original release date: October 18, 2005 Last revised: -- Source: US-CERT Systems Affected * Snort versions 2.4.0 to 2.4.2 * Sourcefire Intrusion Sensors Other products that use Snort or Snort components may be affected. I. Description Snort is a widely-deployed, open-source network intrusion detection system (IDS). Snort and its components are used in other IDS products, notably Sourcefire Intrusion Sensors, and Snort is included with a number of operating system distributions. Snort preprocessors are modular plugins that extend functionality by operating on packets before the detection engine is run. The ping detection code does not adequately limit the amount of data that is read from the packet into a fixed-length buffer, thus creating the potential for a buffer overflow. The vulnerable code will process any UDP packet that is not destined to or sourced from the default Back Orifice port (31337/udp). An attacker could exploit this vulnerability by sending a specially crafted UDP packet to a host or network monitored by Snort. US-CERT is tracking this vulnerability as VU#175500. Further information is available in an advisory from Internet Security Systems (ISS). II. Snort typically runs with root or SYSTEM privileges, so an attacker could take complete control of a vulnerable system. An attacker does not need to target a Snort sensor directly; the attacker can target any host or network monitored by Snort. III. Solution Upgrade Sourcefire has released Snort 2.4.3 which is available from the Snort download site. For information about other vendors, please see the Systems Affected section of VU#175500. Disable Back Orifice Preprocessor To disable the Back Orifice preprocessor, comment out the line that loads the preprocessor in the Snort configuration file (typically /etc/snort.conf on UNIX and Linux systems): [/etc/snort.conf] ... #preprocessor bo ... Restart Snort for the change to take effect. Restrict Outbound Traffic Consider preventing Snort sensors from initiating outbound connections and restricting outbound traffic to only those hosts and networks that have legitimate requirements to communicate with the sensors. While this will not prevent exploitation of the vulnerability, it may make it more difficult for an attacker to access a compromised system or reconnoiter other systems. Appendix A. References * US-CERT Vulnerability Note VU#175500 - <http://www.kb.cert.org/vuls/id/177500> * Fixes and Mitigation Instructions Available for Snort Back Orifice Vulnerability - <http://www.snort.org/pub-bin/snortnews.cgi#99> * Snort downloads - <http://www.snort.org/dl/> * Snort 2.4.3 Changelog - <http://www.snort.org/docs/change_logs/2.4.3/Changelog.txt> * Preprocessors - <http://www.snort.org/docs/snort_htmanuals/htmanual_2.4/ node11.html#SECTION00310000000000000000> * Snort Back Orifice Parsing Remote Code Execution - <http://xforce.iss.net/xforce/alerts/id/207> ____________________________________________________________________ This vulnerability was researched and reported by Internet Security Systems (ISS). ____________________________________________________________________ The most recent version of this document can be found at: <http://www.us-cert.gov/cas/techalerts/TA05-291A.html> ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to <cert@cert.org> with "TA05-291A Feedback VU#175500" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2005 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History Oct 18, 2005: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBQ1VB130pj593lg50AQLY6wf+Kq/rI3wxG4rGr+OdVrpl3v+TfTMp6MX3 T0e99ybRSGKeWQCleMQYdBYrS+7UyCa28T1yE8ENe4SuYLPj7ttTqpd0AGxn7f8H +qOY0GnJwXvrWlKCfVtAhjo5JFDxgZQV9P/13MwjcsJrGTtHzhuJ8YZc4RtSMyVX 4nf2s4Nymjd2+jIEX9BnwRIe/E47TRdFLSsza36mhKZLZV1lxLdJYywCZSsQLWNM nL9gohRojR/6wQk8sLjef8LCv2JFu3btsqrrblcTWqfB6GhVR9OSUBhL+b8P/mme jVd9eE0OS5v8rzhaEMiYIMI+pEZEpATj4BnVoLwPkLAoD6ObGJKHkQ== =jjID -----END PGP SIGNATURE----- . ---------------------------------------------------------------------- Hardcore Disassembler / Reverse Engineer Wanted! Want to work with IDA and BinDiff? Want to write PoC's and Exploits? Your nationality is not important. We will get you a work permit, find an apartment, and offer a relocation compensation package. http://secunia.com/hardcore_disassembler_and_reverse_engineer/ ---------------------------------------------------------------------- TITLE: CS-MARS Multiple Vulnerabilities SECUNIA ADVISORY ID: SA21118 VERIFY ADVISORY: http://secunia.com/advisories/21118/ CRITICAL: Moderately critical IMPACT: Security Bypass, Exposure of system information, System access WHERE: >From local network OPERATING SYSTEM: Cisco Security Monitoring, Analysis and Response System (CS-MARS) 4.x http://secunia.com/product/6780/ DESCRIPTION: Multiple vulnerabilities have been reported in CS-MARS, which can be exploited by malicious, local users to bypass certain security restrictions and malicious people to gain knowledge of system information and compromise a vulnerable system. 2) The included JBoss web application server is also affected by an information disclosure weakness. CS-MARS also ships with an Oracle database containing several default Oracle accounts with well-known passwords. SOLUTION: Update to version 4.2.1 or later. PROVIDED AND/OR DISCOVERED BY: 1+2) Jon Hart 3) Reported by the vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20060719-mars.shtml OTHER REFERENCES: SA15746: http://secunia.com/advisories/15746/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . The vulnerability is caused due to a boundary error in the handling of Back Orifice packets. Alternatively, disable the Back Orifice pre-processor

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

local

TYPE

Design Error

CONFIGURATIONS

EXPLOIT AVAILABILITY

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

These issues were disclosed by the vendor.

SOURCES

LAST UPDATE DATE

2024-08-14T13:01:52.696000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE