Snort mailing list archives
Re: BO preproc exploit published
From: byte_jump <bytejump () gmail com>
Date: Wed, 26 Oct 2005 16:52:26 -0600
On 10/26/05, Paul Melson <pmelson () gmail com> wrote:
I saw that in the release notes. To date, my sensors have not detected any attempts to exploit the bo preproc. I suppose that now that there's publicly available code that I ought to test it. ;) PaulM
I didn't spend a ton of time on it, but I used the exploit code against a Snort 2.4.0 Snort box with the BO preprocessor enabled. Snort had been compiled with the SPP gcc (formerly ProPolice) and was on a 2.4 kernel with grsecurity/PaX. It wasn't a scientific test by any means, but the exploit did not work and seemed to fail due to ProPolice (this is a stack-based buffer overflow). The exploit did work against a similar server without ProPolice and grsecurity. Honestly, I'm very disappointed that 1) Sourcefire doesn't use ProPolice and grsecurity on their sensors, and 2) that Snort.org does not encourage folks to use those security mechanisms, too. Those security measures certainly seemed to work in my less-than-scientific test. ------------------------------------------------------- This SF.Net email is sponsored by the JBoss Inc. Get Certified Today * Register for a JBoss Training Course Free Certification Exam for All Training Attendees Through End of 2005 Visit http://www.jboss.com/services/certification for more information _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- BO preproc exploit published Paul Melson (Oct 25)
- Re: BO preproc exploit published Matthew Watchinski (Oct 26)
- RE: BO preproc exploit published Paul Melson (Oct 26)
- Re: BO preproc exploit published byte_jump (Oct 26)
- Re: BO preproc exploit published Murali Raju (Oct 27)
- RE: BO preproc exploit published Paul Melson (Oct 26)
- Re: BO preproc exploit published Matthew Watchinski (Oct 26)
- <Possible follow-ups>
- Re: BO preproc exploit published byte_jump (Oct 26)
- Re: BO preproc exploit published Richard Harman (Oct 26)
- RE: BO preproc exploit published Ron Jenkins (Oct 26)
- BO preproc exploit published Paul . Melson (Nov 01)