Status Tracking Note TRTA07-050A

Sourcefire Snort DCE/RPC Preprocessor Buffer Overflow

Overview

Sourcefire Snort is a widely-deployed, open-source network intrusion detection system (IDS). Snort and its components are used in other IDS products, notably Sourcefire, and Snort is included with a number of operating system distributions. The DCE/RPC preprocessor reassembles fragmented SMB and DCE/RPC traffic before passing data to the Snort rules.
Event Information

Date (UTC)Description
2007-03-01 Bugtraq
Snort/Sourcefire DCE/RPC Packet Reassembly Stack Buffer Overflow Vulnerability
Snort DCE/RPC Preprocessor Buffer Overflow (Command Execution Version)
Vulnerability Proof Of Concept (CVE-2006-5276)
#Cid: 22616-Command-Exec.py
#Tested: Snort 2.6.1 on Windows XP SP2
2007-02-23 Bugtraq
Snort/Sourcefire DCE/RPC Packet Reassembly Stack Buffer Overflow Vulnerability
Snort DCE/RPC Preprocessor Buffer Overflow (DoS)
Vulnerability Proof Of Concept (CVE-2006-5276)
#Cid: 22616.py
#Tested: Snort 2.6.1 on Fedora Core 4
2007-02-19 22:54 US-CERT
TA07-050A: Sourcefire Snort DCE/RPC Preprocessor Buffer Overflow
Via US-CERT Mailing List
2007-02-19 18:29 SANS Internet Storm Center
Sourcefire addresses Snort vulnerability
The Sourcefire Vulnerability Research Team (VRT) today announced a vulnerability found in the DCE/RPC preprocessor in Snort and Sourcefire Intrusion Sensors. The DCE/RPC preprocessor is vulnerable to a stack-based buffer overflow that could potentially allow an attacker to execute code with the same privileges as the Snort binary.
2007-02-19 15:20 US-CERT
Vulnerability in Sourcefire Snort Preprocessor
US-CERT is aware of a stack-based buffer overflow vulnerability in the Sourcefire Snort DCE/PRC preprocessor. Sourcefire Snort is an intrusion detection and prevention solution and is included with a variety of UNIX and Linux distributions.
2007-02-19 Internet Security Systems
Sourcefire Snort Remote Buffer Overflow


Date first published (UTC): 2007-02-20T05:21+00:00
Date last updated (UTC): 2007-03-10T11:13+00:00