Signature Detail

APP: Snort BackOrifice Preprocessor Denial of Service

This signature detects attempts to exploit a known vulnerability against Snort Back Orifice preprocessor. Snort version 2.4.2 and prior are vulnerable. A successful attack can create a denial-of-service condition, rendering the Snort sensor ineffective.

Extended Description

Snort is susceptible to a remote buffer overflow vulnerability. This issue is due to a failure of the application to securely copy network-derived data into sensitive process buffers. The specific issue exists in the Back Orifice preprocessor. An attacker may exploit this issue to execute arbitrary code with the privileges of the user that activated the vulnerable application. This may facilitate unauthorized access or privilege escalation. Due to the nature of this issue, attackers may exploit it by sending a single UDP packet with a potentially spoofed source address to an arbitrary destination address and port. As long as the application can sniff the packet, it may be exploited. These aspects of this issue may aid attackers in bypassing firewalls in order to compromise a wider number of computers. Reportedly, this issue is difficult to reliably exploit across differing operating systems and compiler versions. Failed exploit attempts likely result in crashing the application, thereby disabling detection of other attacks. Snort versions 2.4.0 through 2.4.2 are affected by this issue. Other versions may also be affected, but this has not been confirmed.

Affected Products

• Nortel Networks Threat Protection System Defense Center 4.1.0
• Nortel Networks Threat Protection System Intrusion Sensor 4.1.0
• Snort Project Snort 2.4.0 .0
• Snort Project Snort 2.4.1
• Snort Project Snort 2.4.2

References

• BugTraq: 15131
• CVE: CVE-2005-3252
• URL: http://archives.neohapsis.com/archives/fulldisclosure/2005-10/0505.html
• URL: http://www.us-cert.gov/cas/techalerts/TA05-291A.html