February 20, 2007

Snort Night-matter 2007 !

We all remember the bright "Yellow" color of SANS threat-meter while every one was coding his own version of exploit for CVE-2005-3252 (AKA Back-Orifice Pre-Processor overflow) to blindly target running Snort and SourceFire appliances. It was really kind of cool and at the same time dangerous flaw which has been used to compromise MANY targeted and random victims. Although Snort team was fast enough to release fixed version of snort, but as always tons of administrators left the upgrade process for next working week and guess what? Most of them had a crash-dump of snort, ready for analyze ! This was the major flaw of Snort in 2005.

Second major flaw in snort announced as CVE-2006-6931 (AKA Rule Matching Backtrack DoS) when three researchers from University of Wisconsin-Madison released a paper describing how it's possible to take down most of current brands in IDS technology with which a technique called "Backtracking Algorithmic Complexity Attacks". Snort was one of vulnerable brands, could be DoSed more easily than some other brands , by sending a single crafted packet. 2006 finished without any other major flaw in snort getting publicly announced ( Oh thanks God!!! ).

Guess what? right, another major flaw in snort for 2007 making many 1337 c0d3rs busy out there, writing another remote for snort. Once again ISS (Neel Mehta) is credited for the flaw, which seems has been result of his previous research on Snort back in 2006, getting published in 2007. CVE-2006-5276 is placeholder of mentioned flaw affecting "DCE/RPC PreProcessor" of Snort 2.6.1 / 2.6.1.1 / 2.6.1.2 / 2.7.0 BETA1 . I just wonder why ISS and Snort (SourceFire) waited that long time to publish this one. Maybe enough snorts have not been owned last time... ;)
I'm not sure when we will see first public PoC but black-market has already released new toys in markets. Keep this one serious and update your Snort/Sourcefire ASAP as this flaw can be reliably exploited and it's not hard to discover where the flaw can be triggered. SANS handler J.Esler posted useful dairy describing quick workaround for the flaw. Don`t forget to take a look at his post.

[Updated on February 23 ]
Seems first public PoC is out . The bad news for kids is that it's a DoS code . So far three working exploits have been released commercially by different consultancy companies. The ones I'm aware of, can target SourceFire appliance and snort running on SUSE,Debian,RHEL3/4 and FreeBSD.

No comments:

Post a Comment