Snort <=2.2 Denial of Service exploit posted
Posted by creining | Filed under Security
While doing my daily security reading, I came across news of a Snort 2.20 DoS exploit posted at SANS ISC. According to the daily handler, K-OTik notified them of an exploit for Snort 2.2 and earlier. According to the handler, “It will core dump a running Snort process with a specially crafted packed. The recommended fix is to upgrade to Snort 2.3 RC1 or better which various handlers have reported is stable. This particular exploit works with Linux-based distributions, but not BSD-based. (We tried RHEL3, Debian, and OpenBSD).” Chatting with Marty Roesch over IRC, he stated that the exploit only works when Snort is run in sniffer mode. Specifically, it’s a bug in log.c and will only happen when “you touch the p->tcp_options[] array directly and nothing in snort outside the protocol printers does”.
Comments are closed.