tag:blogger.com,1999:blog-4088979.post113001131491197723..comments2023-10-16T06:06:25.012-04:00Comments on TaoSecurity Blog: The Coming Snort WormRichard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.comBlogger7125tag:blogger.com,1999:blog-4088979.post-1130164539999324422005-10-24T10:35:00.000-04:002005-10-24T10:35:00.000-04:00Jose, thanks for the correction!Jose, thanks for the correction!Richard Bejtlichhttps://www.blogger.com/profile/13512184196416665417noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1130161034575350572005-10-24T09:37:00.000-04:002005-10-24T09:37:00.000-04:00richard, you have a critical fact wrong above. it'...richard, you have a critical fact wrong above. it's UDP packets to and from any ports BUT 31337. 31337 short circuits the logic and bypasses the vulnerable code in spp_bo.c. anything but 31337 (where the src and the dst ports are not 31337) gets the vulnerable treatment in 2.4.0-2.4.2.jose nazariohttps://www.blogger.com/profile/02361708056534917002noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1130109216292011862005-10-23T19:13:00.000-04:002005-10-23T19:13:00.000-04:00I just posted the results of running 'diff -u snor...I just posted the results of running 'diff -u snort-2.4.3/src/preprocessors/spp_bo.c snort-2.4.2/src/preprocessors/spp_bo.c > 2.4.2-2.4.3_diff.txt' <A HREF="http://www.taosecurity.com/2.4.2-2.4.3_diff.txt" REL="nofollow">here</A>.Richard Bejtlichhttps://www.blogger.com/profile/13512184196416665417noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1130104504724783542005-10-23T17:55:00.000-04:002005-10-23T17:55:00.000-04:00There's really no need to compare 2.4.2 with 2.4.3...There's really no need to compare 2.4.2 with 2.4.3, If you can read some c code and just take a look at the BO preprocessor you should be able to spot the bug in a couple of minutes. <BR/><BR/>Hm, the thing about people saying that it's likely going to be a DoS and not be exploited is odd. All the reasons being mentioned are true not just for this bug but pretty much ALL stacksmashes. And I would classify most stacksmashes (including the one in snort) as (almost) trivial. It would have been a whole different thing if it was some sneaky heap off-by-one (or something simular), but it's not !Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1130099949548773232005-10-23T16:39:00.000-04:002005-10-23T16:39:00.000-04:00Couple of things not mentioned which reduce the im...Couple of things not mentioned which reduce the impact of this vulnerability.<BR/><BR/>If you run snort as unpriv username "snort" instead of "root" (which should be the majority), then they get local access - not root. <BR/><BR/>Secondly, snort should be run in a chroot'ed jail (the "-l" option) - so the exploit would give the hacker unpriv access in a jail containing no interesting files. In fact, most overflows attempt to invoke /bin/bash waaay at the beginning - and I'm yet to meet a jail which has that binary in it! ;-)Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1130029232930609182005-10-22T21:00:00.000-04:002005-10-22T21:00:00.000-04:00The most likely outcome of trying to exploit this ...The most likely outcome of trying to exploit this vulnerability is a DoS, not an overflow. People keep talking about this vulnerability as if it's trivial to exploit on all the platforms that Snort supports but it's not.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1130020573343934952005-10-22T18:36:00.000-04:002005-10-22T18:36:00.000-04:00ISS discovered it, then worked with US-CERT.ISS discovered it, then worked with US-CERT.Richard Bejtlichhttps://www.blogger.com/profile/13512184196416665417noreply@blogger.com