首页 -> 安全研究
安全研究
安全漏洞
Snort RPC预处理器远程堆破坏漏洞
发布日期:2003-03-04
更新日期:2003-03-04
受影响系统:
Martin Roesch Snort 1.9.0不受影响系统:
Martin Roesch Snort 1.8.7
Martin Roesch Snort 1.8.6
Martin Roesch Snort 1.8.5
Martin Roesch Snort 1.8.4
Martin Roesch Snort 1.8.3
Martin Roesch Snort 1.8.2
Martin Roesch Snort 1.8.1
Martin Roesch Snort 1.8
Martin Roesch Snort 1.9.1描述:
BUGTRAQ ID: 6963
CVE(CAN) ID: CVE-2003-0033
Snort是一个开放源码的流行的网络入侵检测系统。
Snort的网络探测器程序实现上存在一个缓冲区溢出漏洞,远程攻击者可能利用此漏洞此漏洞对Snort进程进行拒绝服务攻击或以root用户的权限在探测器主机上执行任意指令。
在1.8版本以后Snort中加入了对利用RPC分片逃避检测的攻击进行检查的代码,当Snort RPC预处理器处理分片的网络流量时,程序在检查和重组RPC分片时使用了不正确的比较方法,这样就可能导致发生堆破坏,远程攻击者可能利用此漏洞通过向Snort探测器进程发送畸形的数据包对网络探测器进行拒绝服务攻击或以探测器进程的执行权限(通常是root)执行任意指令。由于通常探测器是混杂模式监听网段内的所有流量,所以攻击者无须知道探测器具体在哪也无须与探测器建立直接的连接就可以发起攻击。RPC预处理器默认情况下是打开的。
<*来源:ISS X-Force (xforce@iss.net)
链接:http://www.kb.cert.org/vuls/id/916785
http://www.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21951
http://www.linux-mandrake.com/en/security/2003/2003-029.php
http://distro.conectiva.com/atualizacoes/?id=a&anuncio=000613
*>
建议:
临时解决方法:
如果您不能立刻安装补丁或者升级,NSFOCUS建议您采取以下措施以降低威胁:
* 关闭RPC预处理器的使用。
在snort.conf文件中找到如下的行:
preprocessor rpc_decode
代替为
# preprocessor rpc_decode
重启Snort探测器。
厂商补丁:
MandrakeSoft
------------
MandrakeSoft已经为此发布了一个安全公告(MDKSA-2003:029)以及相应补丁:
MDKSA-2003:029:Updated snort packages fix buffer overflow vulnerability
链接:http://www.linux-mandrake.com/en/security/2003/2003-029.php
补丁下载:
Updated Packages:
Corporate Server 2.1:
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/corporate/2.1/RPMS/snort-1.9.1-0.5mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/corporate/2.1/RPMS/snort-bloat-1.9.1-0.5mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/corporate/2.1/RPMS/snort-mysql+flexresp-1.9.1-0.5mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/corporate/2.1/RPMS/snort-mysql-1.9.1-0.5mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/corporate/2.1/RPMS/snort-plain+flexresp-1.9.1-0.5mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/corporate/2.1/RPMS/snort-postgresql+flexresp-1.9.1-0.5mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/corporate/2.1/RPMS/snort-postgresql-1.9.1-0.5mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/corporate/2.1/RPMS/snort-snmp+flexresp-1.9.1-0.5mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/corporate/2.1/RPMS/snort-snmp-1.9.1-0.5mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/corporate/2.1/SRPMS/snort-1.9.1-0.5mdk.src.rpm
Mandrake Linux 8.2:
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/8.2/RPMS/snort-1.9.1-0.5mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/8.2/RPMS/snort-bloat-1.9.1-0.5mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/8.2/RPMS/snort-mysql+flexresp-1.9.1-0.5mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/8.2/RPMS/snort-mysql-1.9.1-0.5mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/8.2/RPMS/snort-plain+flexresp-1.9.1-0.5mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/8.2/RPMS/snort-postgresql+flexresp-1.9.1-0.5mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/8.2/RPMS/snort-postgresql-1.9.1-0.5mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/8.2/RPMS/snort-snmp+flexresp-1.9.1-0.5mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/8.2/RPMS/snort-snmp-1.9.1-0.5mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/8.2/SRPMS/snort-1.9.1-0.5mdk.src.rpm
Mandrake Linux 8.2/PPC:
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/8.2/RPMS/snort-1.9.1-0.5mdk.ppc.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/8.2/RPMS/snort-bloat-1.9.1-0.5mdk.ppc.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/8.2/RPMS/snort-mysql+flexresp-1.9.1-0.5mdk.ppc.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/8.2/RPMS/snort-mysql-1.9.1-0.5mdk.ppc.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/8.2/RPMS/snort-plain+flexresp-1.9.1-0.5mdk.ppc.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/8.2/RPMS/snort-postgresql+flexresp-1.9.1-0.5mdk.ppc.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/8.2/RPMS/snort-postgresql-1.9.1-0.5mdk.ppc.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/8.2/RPMS/snort-snmp+flexresp-1.9.1-0.5mdk.ppc.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/8.2/RPMS/snort-snmp-1.9.1-0.5mdk.ppc.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/8.2/SRPMS/snort-1.9.1-0.5mdk.src.rpm
Mandrake Linux 9.0:
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.0/RPMS/snort-1.9.1-0.5mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.0/RPMS/snort-bloat-1.9.1-0.5mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.0/RPMS/snort-mysql+flexresp-1.9.1-0.5mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.0/RPMS/snort-mysql-1.9.1-0.5mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.0/RPMS/snort-plain+flexresp-1.9.1-0.5mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.0/RPMS/snort-postgresql+flexresp-1.9.1-0.5mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.0/RPMS/snort-postgresql-1.9.1-0.5mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.0/RPMS/snort-snmp+flexresp-1.9.1-0.5mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.0/RPMS/snort-snmp-1.9.1-0.5mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.0/SRPMS/snort-1.9.1-0.5mdk.src.rpm
Multi Network Firewall 8.2:
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/mnf8.2/RPMS/snort-1.9.1-0.5mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/mnf8.2/SRPMS/snort-1.9.1-0.5mdk.src.rpm
上述升级软件还可以在下列地址中的任意一个镜像ftp服务器上下载:
http://www.mandrakesecure.net/en/ftp.php
Martin Roesch
-------------
目前厂商已经在最新版本的1.9.1的软件中修复了这个安全问题,请到厂商的主页下载:
http://www.snort.org/dl/snort-1.9.1.tar.gz
浏览次数:3944
严重程度:0(网友投票)
绿盟科技给您安全的保障