{"vuid":"VU#916785","idnumber":"916785","name":"Buffer overflow in Snort RPC preprocessor","keywords":["Snort","RPC","preprocessing"],"overview":"There is a buffer overflow vulnerability in the RPC preprocessing feature of Snort versions 1.8 through 1.9.0 and 2.0 beta.","clean_desc":"Martin Roesch, the primary Snort developer, described the vulnerability by saying: When the RPC decoder normalizes fragmented RPC records, it incorrectly checks the lengths of what is being normalized against the current packet size, leading to an overflow condition. The RPC preprocessor is enabled by default. The ISS X-Force team has published an advisory with additional information on this issue: http://www.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21951 Information about this vulnerability can also be found on the Snort web site at: http://www.snort.org/","impact":"A remote attacker can execute arbitrary code as the user running the Snort process, usually root. The attacker does not need to send packets directly to the Snort sensor. It is sufficient to send packets to any of the hosts on the network monitored by Snort.","resolution":"Upgrade to Snort version 1.9.1 Upgrade to Snort version 1.9.1 to correct this vulnerability. This version of snort is available at: http://www.snort.org/dl/snort-1.9.1.tar.gz","workarounds":"Disable the rpc_decode preprocessor You can prevent exploitation of this vulnerability by commenting out the rpc_decode preprocessor in the \"snort.conf\" configuration file. Note that this change may affect your ability to correctly process RPC record fragments. Block outbound packets from Snort IDS systems You may be able limit an attacker's capabilities if the system is compromised by blocking all outbound traffic from the Snort sensor. While this workaround will not prevent exploitation of the vulnerability, it may make it more difficult for the attacker to create a useful exploit.","sysaffected":"","thanks":"Thanks to ISS X-Force for discovering this vulnerability, and to Martin Roesch for his assistance in developing this document.","author":"This document was written by Cory F. Cohen.","public":["http://www.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21951","http://www.snort.org/dl/snort-1.9.1.tar.gz","http://marc.theaimsgroup.com/?l=bugtraq&m=104673386226064&w=2","http://www.iss.net/security_center/static/10956.php"],"cveids":["CVE-2003-0033"],"certadvisory":"CA-2003-13","uscerttechnicalalert":null,"datecreated":"2003-02-27T20:51:07Z","publicdate":"2003-03-03T00:00:00Z","datefirstpublished":"2003-03-03T18:12:59Z","dateupdated":"2003-05-20T01:02:09Z","revision":21,"vrda_d1_directreport":"","vrda_d1_population":"","vrda_d1_impact":"","cam_widelyknown":"7","cam_exploitation":"0","cam_internetinfrastructure":"5","cam_population":"10","cam_impact":"19","cam_easeofexploitation":"10","cam_attackeraccessrequired":"15","cam_scorecurrent":"6.4125","cam_scorecurrentwidelyknown":"13.359375","cam_scorecurrentwidelyknownexploited":"24.046875","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":6.4125,"vulnote":null}