HighBlackICE PC Protection, RealSecure Server Sensor, RealSecure Network, IBM Security Host Protection for Servers (Windows), BlackICE Server Protection, Proventia Network IDS, Proventia Network MFS, Proventia-G 1.1 and earlier, RealSecure Desktop, Proventia Network IPS, IBM Security Host Protection for Desktops, IBM Security Host Protection for Servers (Unix), Proventia Server IPS for Linux technology, Virtual Server Protection for Vmware:
This signature looks for a specially-crafted SMB Write_AndX message that is used to conduct an overflow.
High
BlackICE PC Protection: 3.6cqb, RealSecure Server Sensor: XPU 24.56, RealSecure Network: XPU 24.56, IBM Security Host Protection for Servers (Windows): 2.1.14.2400, BlackICE Server Protection: 3.6.cqb, IBM Security Host Protection for Servers (Windows): 1.0.914.1960, Proventia Network IDS: XPU 24.56, Proventia Network MFS: XPU 1.95, Proventia-G 1.1 and earlier: XPU 24.56, RealSecure Desktop: eqb, Proventia Network IPS: XPU 1.95, IBM Security Host Protection for Desktops: 1960, IBM Security Host Protection for Servers (Unix): 2.2.2, Proventia Server IPS for Linux technology: 1.95, Virtual Server Protection for Vmware: 1.0
Gentoo Linux, Snort Snort: 2.6.1.2, Snort Snort: 2.6.1, Snort Snort: 2.6.1.1, Snort Snort: 2.7 Beta1, Sourcefire Sourcefire Intrusion Sensors: 4.1.x before SEU 64, Sourcefire Sourcefire Intrusion Sensors: 4.5.x before SEU 64, Sourcefire Sourcefire Intrusion Sensors: 4.6.x before SEU 64, Sourcefire Sourcefire Intrusion Sensors (Crossbeam): 4.1.x before SEU 64, Sourcefire Sourcefire Intrusion Sensors (Crossbeam): 4.5.x before SEU 64, Sourcefire Sourcefire Intrusion Sensors (Crossbeam): 4.6.x before SEU 64, Nortel Threat Protection System 2050, Nortel Threat Protection System 2070, Nortel Threat Protection System 2170, Nortel Threat Protection System SEU, Nortel Threat Protection System 2150
Unauthorized Access Attempt
Snort IDS (Intrusion Detection System), Sourcefire Intrusion Sensor software, and Nortel Threat Protection are vulnerable to a stack-based buffer overflow in the DCE/RPC reassembly process. By sending specially-crafted SMB traffic to a vulnerable system, a remote attacker could overflow a buffer and execute arbitrary code on the system with root or SYSTEM privileges.
For Snort IDS/IPS:
Upgrade to the latest version of Snort (2.6.1.3 or later), available from the Snort Web site. See References.
For Gentoo Linux:
Refer to GLSA 200703-01 for patch, upgrade, or suggested workaround information. See References.
For Nortel Threat Protection:
Refer to Nortel Networks Security Advisory DOCUMENT ID 2007007755 for patch, upgrade, or suggested workaround information. See References.
As a workaround, disable the DCE/RPC preprocessor by removing the DCE/RPC preprocessor directives from snort.conf and restarting Snort. However, be advised that disabling the DCE/RPC preprocessor reduces detection capabilities for attacks in DCE/RPC traffic. After upgrading, customers should re-enable the DCE/RPC preprocessor.
IBM Internet Security Systems Protection Advisory - Feb 19, 2007
Sourcefire Snort Remote Buffer Overflow
http://iss.net/threats/257.html
2007-02-19 Sourcefire Advisory
Vulnerability in Snort DCE/RPC Preprocessor
http://www.snort.org/docs/advisory-2007-02-19.html
Snort Web site
Snort - the de facto standard for intrusion detection/prevention
http://www.snort.org/
Sourcefire Web site
Sourcefire Network Security
http://www.sourcefire.com/
US-CERT Vulnerability Note VU#196240
Sourcefire Snort DCE/RPC preprocessor does not properly reassemble fragmented packets
http://www.kb.cert.org/vuls/id/196240
US-CERT Technical Cyber Security Alert TA07-050A
Sourcefire Snort DCE/RPC Preprocessor Buffer Overflow
http://www.us-cert.gov/cas/techalerts/TA07-050A.html
Nortel Networks Security Advisory DOCUMENT ID 2007007755
Security vulnerability in TPS DCE/RPC preprocessor (CVE-2006-5276)
http://www116.nortelnetworks.com/pub/repository/CLARIFY/DOCUMENT/2007/08/021923-01.pdf
GLSA 200703-01
Snort: Remote execution of arbitrary code
http://www.gentoo.org/security/en/glsa/glsa-200703-01.xml
Offensive Security Exploit Database [04-09-2012]
Snort 2 DCE/RPC preprocessor Buffer Overflow
http://www.exploit-db.com/exploits/18723/
ISS X-Force
Snort, Sourcefire, and Nortel Threat Protection IDS/IPS DCE/RPC buffer overflow
http://www.iss.net/security_center/static/31275.php
CVE
CVE-2006-5276
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5276