Snort Back Orifice Preprocessor Buffer Overflow
Original release date: October 18, 2005
- Snort versions 2.4.0 to 2.4.2
- Sourcefire Intrusion Sensors
Other products that use Snort or Snort components may be affected.
The Snort Back Orifice preprocessor contains a buffer overflow that could allow a remote
attacker to execute arbitrary code on a vulnerable system.
Snort is a widely-deployed, open-source network intrusion detection system (IDS). Snort and its
components are used in other IDS products, notably Sourcefire Intrusion
Sensors, and Snort is included with a number of operating system
Snort preprocessors are modular plugins that extend functionality by operating on packets
before the detection engine is run. The Back Orifice preprocessor
decodes packets to determine if they contain Back Orifice ping
messages. The ping detection code does not adequately limit the amount
of data that is read from the packet into a fixed-length buffer, thus
creating the potential for a buffer overflow.
The vulnerable code will process any UDP packet that is not destined to or sourced from the
default Back Orifice port (31337/udp). An attacker could exploit this
vulnerability by sending a specially crafted UDP packet to a host or
network monitored by Snort.
US-CERT is tracking this vulnerability as VU#175500.
Further information is available in an advisory
from Internet Security Systems (ISS).
A remote attacker who can send UDP packets to a Snort sensor may be able to execute arbitrary
code. Snort typically runs with root or SYSTEM privileges, so an
attacker could take complete control of a vulnerable system. An
attacker does not need to target a Snort sensor directly; the attacker
can target any host or network monitored by Snort.