Signature Detail

APP: Snort BackOrifice Preprocessor Buffer Overflow

This signature detects attempts to exploits a known vulnerability against the Back Orifice Preprocessor of Snort. Snort versions 2.4.x and Nortel Threat Protection 4.1 are vulnerable. Attackers can send a maliciously crafted UDP packet to create a buffer overflow and execute arbitrary code.

Extended Description

Snort is susceptible to a remote buffer overflow vulnerability. This issue is due to a failure of the application to securely copy network-derived data into sensitive process buffers. The specific issue exists in the Back Orifice preprocessor. An attacker may exploit this issue to execute arbitrary code with the privileges of the user that activated the vulnerable application. This may facilitate unauthorized access or privilege escalation. Due to the nature of this issue, attackers may exploit it by sending a single UDP packet with a potentially spoofed source address to an arbitrary destination address and port. As long as the application can sniff the packet, it may be exploited. These aspects of this issue may aid attackers in bypassing firewalls in order to compromise a wider number of computers. Reportedly, this issue is difficult to reliably exploit across differing operating systems and compiler versions. Failed exploit attempts likely result in crashing the application, thereby disabling detection of other attacks. Snort versions 2.4.0 through 2.4.2 are affected by this issue. Other versions may also be affected, but this has not been confirmed.

Affected Products

• Nortel Networks Threat Protection System Defense Center 4.1.0
• Nortel Networks Threat Protection System Intrusion Sensor 4.1.0
• Snort Project Snort 2.4.0 .0
• Snort Project Snort 2.4.1
• Snort Project Snort 2.4.2

References

• BugTraq: 15131
• CVE: CVE-2005-3252