Snort DCE/RPC preprocessor buffer overflow

Added: 07/09/2007
CVE: CVE-2006-5276
BID: 22616
OSVDB: 32094

Background

Snort is an open-source intrusion detection system. It includes a DCE/RPC preprocessor, which reassembles DCE/RPC traffic before it is passed to the intrusion detection engine.

Problem

A buffer overflow vulnerability in the DCE/RPC preprocessor allows remote attackers to execute arbitrary commands by chaining together multiple WriteAndX requests in the same TCP segment.

Resolution

Upgrade to Snort 2.6.1.3 or higher.

References

http://www.us-cert.gov/cas/techalerts/TA07-050A.html
http://www.snort.org/docs/advisory-2007-02-19.html

Limitations

Exploit works on Snort 2.6.1.1 on Windows and Snort 2.6.1.2 on Red Hat 8, and requires port 445/TCP to be open on the target.

Platforms

Windows 2000
Windows XP SP0 / Windows XP SP1
Windows XP SP2 / Windows XP
Linux

Back to exploit index