Buffer overflow flaw socks Snort

ZDNet ^ | March 4, 2003, 8:38 AM PT | Patrick Gray

[Bush2000]

Buffer overflow flaw socks Snort

By Patrick Gray
ZDNet Australia
March 4, 2003, 8:38 AM PT

The discovery and disclosure of a serious vulnerability in the Sendmail e-mail software by Atlanta based security giant Internet Security Systems (ISS) is starving another vulnerability of the attention it deserves.

ISS have also disclosed a buffer overflow vulnerability in Snort, a widely used open-source Intrusion Detection System.

"Remote attackers may exploit the buffer overflow condition to run arbitrary code on a Snort sensor with the privileges of the Snort IDS process," the advisory said.

Snort is a network based intrusion detection system (IDS) which is used for sniffing data on a network and comparing it to known attack signatures. Snort logs any suspicious activity that it detects, allowing system administrators to respond to attacks or use collected data in forensic applications.

By sending specially formed "fragmented RPC" data across a network monitored by a snort sensor, it is possible to compromise it.

If an attacker can gain access to an IDS they may be able to delete its logs, add false log entries or just shut down the whole system. If the IDS is "switched off" an attacker can be as indiscreet as they want to without setting the alarm bells ringing, which is serious according to Melbourne based security consultant Nathan Macrides.

"Your IDS is supposed to be detecting exploits to vulnerabilities, not being exploited itself," he said. Under certain conditions, this vulnerability may allow an attacker to gain a foothold in a network by compromising a snort system--however, this can be avoided if the IDS is set up properly.

Macrides says IDS' can be set up so that vulnerabilities in their own software don't render the rest of the network vulnerable to attack, but companies often shy away from the extra cost.

He believes in spending the extra time and money when deploying any IDS "because you just don't know when these things are going to happen".

[Bush2000]

ABMers, it just hasn't been your week...

[Bush2000]

Chortling, Snorting Bump

[Question_Assumptions]

When you find an Open Source bug that grinds parts of the Internet (or at least a few dozen Fortune 500 companies) to a halt, let us know...

[Bush2000]

When you find an Open Source bug that grinds parts of the Internet (or at least a few dozen Fortune 500 companies) to a halt, let us know...

That would depend on your ABMer buddies diverting their resources from writing Nimda and Slammer-like worms to target *nix.

[Rifleman]

The fix for SNORT is already released this afternoon.

[Question_Assumptions]

Did you ever think that Windows vulnerabilities have been more catastrophic because they've simply been worse and easier to exploit? Of course let's not forget the fact that Windows simply isn't secure enough to withstand the scrutiny of having its source code laid open to the public.

Out of curiosity, do you have any evidence that "ABMers" are behind any of the major Windows viruses or worms? Or like any good True Believer, are you simply inventing the first convenient explanation that comes to mind and simply declaring it true?

It has been my personal experience that (A) the most capible Windows virus writers are those most familiar with Windows and Microsoft software and (B) most hard-core "ABMers" don't even run Windows and could care less about it. That, I would think, makes some sense, since one would assume that you'd need to know something about how Windows works to write a virus or worm, wouldn't you?

Of course it should be easy enough for you to prove your assertion correct and my experiences wrong. You should have no trouble finding some examples of virus or worm writers who are known to have been motivated by anti-Microsoft feelings.

[Bush2000]

The emperor has no clothes, dude. Quality of open source code is taking a beating...

[Bush2000]

Did you ever think that Windows vulnerabilities have been more catastrophic because they've simply been worse and easier to exploit?

No, because that simply isn't true. If the people that found this problem in SNORT and Sendmail had written a self-propagating worm, there would have been tremendous repercussions. It could easily have brought the Internet to a standstill. You'll deny it, like a good OSS lapdog. But that doesn't make it any less true.

Out of curiosity, do you have any evidence that "ABMers" are behind any of the major Windows viruses or worms?

Only common sense, something that ABMers are devoid of. These hacks were clearly orchestrated by people who don't like Microsoft and/or Windows.

[HAL9000]

ABMers, it just hasn't been your week...

Yes, the ten seconds it took to open the Mac OS X Software Update control panel and start downloading the security patch has been irretrievably lost. I should have just waited for the automatic update cycle to run...

That would depend on your ABMer buddies diverting their resources from writing Nimda and Slammer-like worms to target *nix.

What is the evidence for your claim that Microsoft security holes are being exploited by *nix users?

Common sense would indicate that Microsoft viruses and worms are written by Microsoft users.

For example - Nimda was developed with Microsoft Visual C.

[sigSEGV]

And you know what? In an enterprise environment, bugs with Sendmail or Snort get patched in hours. With an MS patch, people have to go through hours and hours of testing with different platforms, service packs, etc to ensure it's not going to crash their server when they install it.

[Bush2000]

Yes, the ten seconds it took to open the Mac OS X Software Update control panel and start downloading the security patch has been irretrievably lost. I should have just waited for the automatic update cycle to run...

Listen to laughing boy. As if that improves the quality of the crapware code you're running ...

What is the evidence for your claim that Microsoft security holes are being exploited by *nix users?

It's my personal opinion. Common sense dicates that it's probably OSS-suckling, hygiene-shunning, self-esteem-challenged *nix punks that behind the Slammer and Nimda hacks...

For example - Nimda was developed with Microsoft Visual C

You were expecting IBM C for RS/6000?!?

[taxcontrol]

A sense of perspective here:

Two windows advisories so far this year (CA-2003-04 :MS-SQL Server Worm and CA-2003-03 :Buffer Overflow in Windows Locator Service). One of which already has malicious worm attack which results in a vast DDOS attack on the Internet.

On the other hand

Three theoritical compromises for open source (CA-2003-07 :Remote Buffer Overflow in Sendmail; CA-2003-02 :Double-Free Bug in CVS Server; and the one in the article) of which there has been no reported exploitation.

And somehow this is bad new for the Open Source community? Sounds to me like the openess of the software allowed for 3rd party review and for the fixes to be published in a timely manner.

[Bush2000]

And somehow this is bad new for the Open Source community?

Yeah, it is.

A. Both of these products are very widely used. If a malicious user were to craft a worm, it could have devastating consequences on Internet infrastructure.

B. It puts the lie to the claim the open source code is better quality. Fact: It's no better than closed source.

C. You're operating on the bogus assumption that this was a "timely" fix. The fact is that ISS notified the Snort and Sendmail folks in advance of announcing the problem to the general public. The turnaround time sounds instantaneous to you merely because you weren't even aware of the latency between notification, debugging, testing, and patch.

[HAL9000]

So you have zero evidence to support your claims, just your personal conjecture. The voices in your head said "Blame the *nix programmers" - therefore, it must be true?

In order to agree with your foolish theory, one must ignore the facts that Microsoft worms and viruses are written in Microsoft languages using Microsoft tools running under Microsoft operating systems by experts in Microsoft security flaws within Microsoft products.

[zeugma]

I don't know why y'all bother responding to him. It's been obvious to me for some time that he's a paid astroturfer.

Sendmail is the the most widely used MTA in the world, yet, even it hasn't managed to bring the net to its knees the way that the various windows worms have over the past couple of years. Apache is the most popular web server by far, yet the astroturfers claim that windows is the target because it is 'so widespread'.

Unix servers run the web. They are the backbone of it. If they were anywhere near close to being as vulnerable as the house of cards we laughingly call an operating system from redmond, the internet would not function to any acceptable degree. We'd all still be using Fidonet.

windows is fine for little old ladies who just want to send email to their grandkids, but I certainly wouldn't feel comfortable with depending upon it actually doing anything important over an extended period of time without significant interruptions.

It took me a couple of minutes to update my sendmail daemons, and required no boot of the machine to do it. Some people obviously don't have to depend upon their systems to work. I do.

[jammer]

I have a serious question for you (the silliness of your comments about open-source code quality, aside): With the new HIPAA regulations, aren't lawyers and we developers who put systems in hospitals violating them by having any Windows system later than Win2K SP2? That's a serious question. Our attorneys are looking at it--and will continue if you say no. But, please be forthright. It's a serious question. Will your MS legal staff defend us?

[HAL9000]

windows is fine for little old ladies who just want to send email to their grandkids

I don't think it's even suitable for that.

I gave my mother an iMac last year. Now the email is much easier for her to use than Window's hopelessly bug-ridden Outlook Express was. She's also doing a lot of things she never did when she was a Windows user - using iTunes for Internet radio, iPhoto for her digital camera, burning CD-ROMs, etc.

[Bush2000]

Sendmail is the the most widely used MTA in the world, yet, even it hasn't managed to bring the net to its knees the way that the various windows worms have over the past couple of years.

Only because no one has sought to exploit it.

[Bush2000]

So you have zero evidence to support your claims, just your personal conjecture. The voices in your head said "Blame the *nix programmers" - therefore, it must be true?

Open source fanatics have a lot to gain by tarring Microsoft products. That's a pretty compelling motivation to ignore.

In order to agree with your foolish theory, one must ignore the facts that Microsoft worms and viruses are written in Microsoft languages using Microsoft tools running under Microsoft operating systems by experts in Microsoft security flaws within Microsoft products.

First of all, your assertion that these worms are necessarily written in Microsoft languages is false. A worm can be written in practically any language capable of establishing a network connection with another device. Second, the roadmap to the exploit is given in the CERT advisories. It doesn't take a genius or an expert to exploit them. Just the motivation to do so.