“Snort is an open source network intrusion prevention and detection system utilizing a rule-driven language, which combines the benefits of signature, protocol and anomaly based inspection methods. With millions of downloads to date, Snort is the most widely deployed intrusion detection and prevention technology worldwide and has become the de facto standard for the industry.”
[End Quote] www.snort.org
Two days ago, ISS released an advisory on a buffer overflow on Snort which may be used by worms. I admit I wasn’t paying too much attention to this when the advisory was released because… well.. because nothing hehehehe. Eeeeeniwey, what caught my attention was ISC’s Infocon Yellow, and after reading their reasoning on why this ‘is a big deal’, i thought “Oh yeeah, it IS a big deal”. Think witty.
Excerpts from ISC:
Why do we think this is a big deal:
- The exploit is rather easy to write. Yes, its specific to a particular binary, but there are a number of common binaries deployed in large numbers.
- It uses a single UDP packet, which can lead to very fast spreading worms.
- The UDP packet can be spoofed, and can use any port combination.
- Snort is very popular. A fast spreading (noisy) UDP worm could lead to local slowdowns/outages.
So anyway, paul and I were trying to create a POC for this (since we couldn’t find one), when suddenly!(for added drama hehehe), a new post from Full-Disclosure came in which carried a POC(albeit unfinished: only crashes target machine) for the Snort exploit (by H.D Moore of Metasploit). Oh well. At least creating a complete POC(with shellcode) will be much easier since H.D. Moore already started it hehehehe and NVW only needs the code that causes the exploit. Also, the NVW team has already been alerted on this issue as well as the POC.