Re: BO preproc exploit published

[byte_jump <bytejump () gmail com>]

On 10/26/05, Paul Melson <pmelson () gmail com> wrote:
> I saw that in the release notes.  To date, my sensors have not detected any
> attempts to exploit the bo preproc.  I suppose that now that there's
> publicly available code that I ought to test it. ;)
>
> PaulM


I didn't spend a ton of time on it, but I used the exploit code
against a Snort 2.4.0 Snort box with the BO preprocessor enabled.
Snort had been compiled with the SPP gcc (formerly ProPolice) and was
on a 2.4 kernel with grsecurity/PaX. It wasn't a scientific test by
any means, but the exploit did not work and seemed to fail due to
ProPolice (this is a stack-based buffer overflow). The exploit did
work against a similar server without ProPolice and grsecurity.

Honestly, I'm very disappointed that 1) Sourcefire doesn't use
ProPolice and grsecurity on their sensors, and 2) that Snort.org does
not encourage folks to use those security mechanisms, too. Those
security measures certainly seemed to work in my less-than-scientific
test.


-------------------------------------------------------
This SF.Net email is sponsored by the JBoss Inc.
Get Certified Today * Register for a JBoss Training Course
Free Certification Exam for All Training Attendees Through End of 2005
Visit http://www.jboss.com/services/certification for more information
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users