RE: [Snort-2003-001] Buffer overflow in Snort RPC preprocessor

["Geoff Craig" <GCraig () quilogy com>]

Hello,
 
Is there any time frame for when a complied Win32 .exe of 1.9.1 will become available?  Or could someone point to steps 
for compiling the available 1.9.1 Win32 src?
 
Thanks,

        -----Original Message----- 
        From: Martin Roesch [mailto:roesch () sourcefire com] 
        Sent: Mon 3/3/2003 5:53 PM 
        To: focus-ids () securityfocus com 
        Cc: 
        Subject: [Snort-2003-001] Buffer overflow in Snort RPC preprocessor
        
        

        Snort Vulnerability Advisory [SNORT-2003-001]
        
        Date: 2003-03-03
        
        Affected Snort Versions:
        
        Any version starting with version 1.8 to those before 2003-03-03 1PM/
        US/Eastern including 1.9.0 and CVS HEAD (Snort 2.0beta)
        
        Synopsis:
        
        A buffer overflow has been found in the snort RPC normalization
        routines by ISS X-Force.  This can cause snort to execute arbitrary
        code embedded within sniffed network packets. This preprocessor is
        enabled by default.
        
        Snort 1.9.1 has been released to resolve this issue. For users using
        CVS HEAD, a fix has been committed to the source tree.
        
        Mitigation:
        
        If you are in an environment that can not upgrade snort immediately,
        comment out the line in your snort.conf that begins:
        
        preprocessor rpc_decode
        
        and replace it with
        
        # preprocessor rpc_decode
        
        Details:
        
        When the rpc decoder normalizes fragmented RPC records, it incorrectly
        checks the lengths of what is being normalized against the current
        packet size.
        
        The rpc decoder in Snort 1.9.1 and above contains new alert options
        that can be used to help detect this attack
        
        Option                    Default State
        
        alert_fragments           INACTIVE
        alert_large_fragments     ACTIVE
        alert_incomplete          ACTIVE
        alert_multiple_requests   ACTIVE
        
        
        The first option will alert on any rpc fragmented record it finds.
        Large fragments will alert when the reassembled fragment record will
        exceed the current packet length.  The incomplete record will alert
        when there is a partial record found.  The alert_multiple_requests will
        alert when we find more than one RPC request per packet ( or
        reassembled packet ).
        
        Download Locations:
        
        Sourcefire has acquired additional bandwidth and hosting to aid users
        wishing to upgrade their Snort implementation.  Binaries are currently
        not available, this is a source release only at this time.  As new
        binaries become available they will be added to the site.
        
        Source code: http://www.snort.org/dl/snort-1.9.1.tar.gz
        GPG Signatures: http://www.snort.org/dl/snort-1.9.1.tar.gz.asc
        
        CVS HEAD (Snort 2.0beta)  has been fixed as well.
        
        
        --
        Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
        Sourcefire: Snort-based Enterprise Intrusion Detection Infrastructure
        roesch () sourcefire com - http://www.sourcefire.com
        Snort: Open Source Network IDS - http://www.snort.org
        
        
        -----------------------------------------------------------
        <Pre>Lose another weekend managing your IDS?
        Take back your personal time.
        15-day free trial of StillSecure Border Guard.</Pre>
        <A href="http://www.securityfocus.com/stillsecure";> http://www.securityfocus.com/stillsecure </A>