This flaw allowed unauthenticated attackers to gain complete control over affected systems, including Windows 2000, XP, and Server 2003. Its ease of exploitation led to widespread attacks, notably by the Zotob worm, causing significant disruptions.
The alert underscored the urgency of applying the Microsoft security update MS05-039 to prevent compromise. It served as a stark reminder of the importance of timely patching for critical infrastructure services.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
National Cyber Alert System
Technical Cyber Security Alert TA05-291A
Snort Back Orifice Preprocessor Buffer Overflow
Original release date: October 18, 2005
Last revised: --
Source: US-CERT
Systems Affected
* Snort versions 2.4.0 to 2.4.2
* Sourcefire Intrusion Sensors
Other products that use Snort or Snort components may be affected.
Overview
The Snort Back Orifice preprocessor contains a buffer overflow that
could allow a remote attacker to execute arbitrary code on a
vulnerable system.
I. Description
Snort is a widely-deployed, open-source network intrusion detection
system (IDS). Snort and its components are used in other IDS
products, notably Sourcefire Intrusion Sensors, and Snort is
included with a number of operating system distributions.
Snort preprocessors are modular plugins that extend functionality
by operating on packets before the detection engine is run. The
Back Orifice preprocessor decodes packets to determine if they
contain Back Orifice ping messages. The ping detection code does
not adequately limit the amount of data that is read from the
packet into a fixed-length buffer, thus creating the potential for
a buffer overflow.
The vulnerable code will process any UDP packet that is not
destined to or sourced from the default Back Orifice port
(31337/udp). An attacker could exploit this vulnerability by
sending a specially crafted UDP packet to a host or network
monitored by Snort.
US-CERT is tracking this vulnerability as VU#175500. Further
information is available in an advisory from Internet Security
Systems (ISS).
II. Impact
A remote attacker who can send UDP packets to a Snort sensor may be
able to execute arbitrary code. Snort typically runs with root or
SYSTEM privileges, so an attacker could take complete control of a
vulnerable system. An attacker does not need to target a Snort
sensor directly; the attacker can target any host or network
monitored by Snort.
III. Solution
Upgrade
Sourcefire has released Snort 2.4.3 which is available from the
Snort download site. For information about other vendors, please
see the Systems Affected section of VU#175500.
Disable Back Orifice Preprocessor
To disable the Back Orifice preprocessor, comment out the line that
loads the preprocessor in the Snort configuration file (typically
/etc/snort.conf on UNIX and Linux systems):
[/etc/snort.conf]
...
#preprocessor bo
...
Restart Snort for the change to take effect.
Restrict Outbound Traffic
Consider preventing Snort sensors from initiating outbound
connections and restricting outbound traffic to only those hosts
and networks that have legitimate requirements to communicate with
the sensors. While this will not prevent exploitation of the
vulnerability, it may make it more difficult for an attacker to
access a compromised system or reconnoiter other systems.
Appendix A. References
* US-CERT Vulnerability Note VU#175500 -
<http://www.kb.cert.org/vuls/id/177500>
* Fixes and Mitigation Instructions Available for Snort Back
Orifice Vulnerability -
<http://www.snort.org/pub-bin/snortnews.cgi#99>
* Snort downloads - <http://www.snort.org/dl/>
* Snort 2.4.3 Changelog -
<http://www.snort.org/docs/change_logs/2.4.3/Changelog.txt>
* Preprocessors -
<http://www.snort.org/docs/snort_htmanuals/htmanual_2.4/
node11.html#SECTION00310000000000000000>
* Snort Back Orifice Parsing Remote Code Execution -
<http://xforce.iss.net/xforce/alerts/id/207>
____________________________________________________________________
This vulnerability was researched and reported by Internet Security
Systems (ISS).
____________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA05-291A.html>
____________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to <
subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2005 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
Oct 18, 2005: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBQ1VB130pj593lg50AQLY6wf+Kq/rI3wxG4rGr+OdVrpl3v+TfTMp6MX3
T0e99ybRSGKeWQCleMQYdBYrS+7UyCa28T1yE8ENe4SuYLPj7ttTqpd0AGxn7f8H
+qOY0GnJwXvrWlKCfVtAhjo5JFDxgZQV9P/13MwjcsJrGTtHzhuJ8YZc4RtSMyVX
4nf2s4Nymjd2+jIEX9BnwRIe/E47TRdFLSsza36mhKZLZV1lxLdJYywCZSsQLWNM
nL9gohRojR/6wQk8sLjef8LCv2JFu3btsqrrblcTWqfB6GhVR9OSUBhL+b8P/mme
jVd9eE0OS5v8rzhaEMiYIMI+pEZEpATj4BnVoLwPkLAoD6ObGJKHkQ==
=jjID
-----END PGP SIGNATURE-----