VRT Advisories


Snort Back Orifice Vulnerability

Date: 2005-10-18

The Sourcefire Vulnerability Research Team (VRT) has learned of a vulnerability in Snort v2.4.0 - 2.4.2. Users are only vulnerable if the Back Orifice preprocessor is enabled. Snort v2.4.3 has been released to correct the issue. In addition, detailed instructions for mitigating the issue by disabling the Back Orifice preprocessor are included below.

Snort v2.4.3:
In addition to fixing the vulnerability, this version includes a mechanism to detect exploits against vulnerable sensors and, optionally for inline sensors, drop the offending traffic. These features enables a phased approach to upgrading while protecting unpatched sensors. Detection capabilities are part of the new preprocessor and therefore are available to all users regardless of subscription status.

In addition to the source tarball, postgres, mysql and plain RPMs and a win32 installer are available here. Please remember that updated rules are only included in major releases. Click here for updated rules.

Mitigation Instructions:
The Back Orifice preprocessor can be disabled by commenting out the line "preprocessor bo" in snort.conf. This can be done in any text editor using the following procedure:

  1. Locate the line "preprocessor bo"
  2. Comment out this line by preceding it with a hash (#). The new line will look like "#preprocessor bo"
  3. Save the file
  4. Restart snort

On Thursday, October 13th Sourcefire was contacted by USCERT with news of a vulnerability in Snort. We used the subsequent days to verify the vulnerability and to prepare mitigation strategies and the software updates necessary to fix the vulnerability for both Sourcefire customers and Snort users. While it cannot be said that no other problems will ever be found in the Snort code base, we can state that we will redouble our efforts to ensure the security of the system so many people have come to rely on for the detection of network-based threats. Sourcefire will also continue to work with the most sophisticated testing facilities in the industry to assure that every reasonable step is being taken to provide the most secure code base possible.

Technical Details:
The Back Orifice preprocessor contains a stack-based buffer overflow. This vulnerability could be leveraged by an attacker to execute code remotely on a Snort sensor where the Back Orifice preprocessor is enabled. However, there are a number of factors that make remote code execution difficult to achieve across different builds of Snort on different platforms, even on the same platform with different compiler versions, and it is more likely that an attacker could use the vulnerability as a denial of service attack.

If you have any questions, please contact the snort team.