Snort, Sourcefire, and Nortel Threat Protection IDS/IPS DCE/RPC buffer overflow (SMB_WriteAndX_Frag_Bo)

About this signature or vulnerability

IBM Security Host Protection for Servers (Unix), Proventia Server IPS for Linux technology, IBM Security Network Protection, Virtual Server Protection for Vmware, Proventia Network MFS, Proventia Network IPS, IBM Security Host Protection for Desktops, Proventia Network IDS, Proventia-G 1.1 and earlier, RealSecure Server Sensor, IBM Security Host Protection for Servers (Windows):

This signature looks for a specially-crafted SMB Write_AndX message that is used to conduct an overflow.


Default risk level

High risk vulnerability  High

Sensors that have this signature

IBM Security Host Protection for Servers (Unix): 2.2.2, Proventia Server IPS for Linux technology: 1.95, IBM Security Network Protection: 5.1, Virtual Server Protection for Vmware: 1.0, Proventia Network MFS: XPU 1.95, Proventia Network IPS: XPU 1.95, IBM Security Host Protection for Desktops: 1960, Proventia Network IDS: XPU 24.56, Proventia-G 1.1 and earlier: XPU 24.56, RealSecure Server Sensor: XPU 24.56, IBM Security Host Protection for Servers (Windows): 2.1.14.2400, IBM Security Host Protection for Servers (Windows): 1.0.914.1960

Systems affected

Gentoo Linux, Snort Snort: 2.6.1.2, Snort Snort: 2.6.1, Snort Snort: 2.6.1.1, Snort Snort: 2.7 Beta1, Sourcefire Sourcefire Intrusion Sensors: 4.1.x before SEU 64, Sourcefire Sourcefire Intrusion Sensors: 4.5.x before SEU 64, Sourcefire Sourcefire Intrusion Sensors: 4.6.x before SEU 64, Sourcefire Sourcefire Intrusion Sensors (Crossbeam): 4.1.x before SEU 64, Sourcefire Sourcefire Intrusion Sensors (Crossbeam): 4.5.x before SEU 64, Sourcefire Sourcefire Intrusion Sensors (Crossbeam): 4.6.x before SEU 64, Nortel Threat Protection System 2050, Nortel Threat Protection System 2070, Nortel Threat Protection System 2170, Nortel Threat Protection System SEU, Nortel Threat Protection System 2150

Type

Unauthorized Access Attempt

Vulnerability description

Snort IDS (Intrusion Detection System), Sourcefire Intrusion Sensor software, and Nortel Threat Protection are vulnerable to a stack-based buffer overflow in the DCE/RPC reassembly process. By sending specially-crafted SMB traffic to a vulnerable system, a remote attacker could overflow a buffer and execute arbitrary code on the system with root or SYSTEM privileges.

How to remove this vulnerability

For Snort IDS/IPS:
Upgrade to the latest version of Snort (2.6.1.3 or later), available from the Snort Web site. See References.

For Gentoo Linux:
Refer to GLSA 200703-01 for patch, upgrade, or suggested workaround information. See References.

For Nortel Threat Protection:
Refer to Nortel Networks Security Advisory DOCUMENT ID 2007007755 for patch, upgrade, or suggested workaround information. See References.

As a workaround, disable the DCE/RPC preprocessor by removing the DCE/RPC preprocessor directives from snort.conf and restarting Snort. However, be advised that disabling the DCE/RPC preprocessor reduces detection capabilities for attacks in DCE/RPC traffic. After upgrading, customers should re-enable the DCE/RPC preprocessor.

References

IBM Internet Security Systems Protection Advisory - Feb 19, 2007
Sourcefire Snort Remote Buffer Overflow
http://iss.net/threats/257.html

2007-02-19 Sourcefire Advisory
Vulnerability in Snort DCE/RPC Preprocessor
http://www.snort.org/docs/advisory-2007-02-19.html

Snort Web site
Snort - the de facto standard for intrusion detection/prevention
http://www.snort.org/

Sourcefire Web site
Sourcefire Network Security
http://www.sourcefire.com/

US-CERT Vulnerability Note VU#196240
Sourcefire Snort DCE/RPC preprocessor does not properly reassemble fragmented packets
http://www.kb.cert.org/vuls/id/196240

US-CERT Technical Cyber Security Alert TA07-050A
Sourcefire Snort DCE/RPC Preprocessor Buffer Overflow
http://www.us-cert.gov/cas/techalerts/TA07-050A.html

Nortel Networks Security Advisory DOCUMENT ID 2007007755
Security vulnerability in TPS DCE/RPC preprocessor (CVE-2006-5276)
http://www116.nortelnetworks.com/pub/repository/CLARIFY/DOCUMENT/2007/08/021923-01.pdf

GLSA 200703-01
Snort: Remote execution of arbitrary code
http://www.gentoo.org/security/en/glsa/glsa-200703-01.xml

Offensive Security Exploit Database [04-09-2012]
Snort 2 DCE/RPC preprocessor Buffer Overflow
http://www.exploit-db.com/exploits/18723/

ISS X-Force
Snort, Sourcefire, and Nortel Threat Protection IDS/IPS DCE/RPC buffer overflow
http://www.iss.net/security_center/static/31275.php

CVE
CVE-2006-5276
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5276