Sourcefire Snort SMB Preprocessor Buffer Overflow (Jan 30, 2013)


Snort is a free and open source network intrusion prevention system (IPS) and network intrusion detection system (IDS) created by Martin Roesch in 1998. Snort is now developed by Sourcefire, of which Roesch is the founder and CTO. Snort has the ability to perform real-time traffic analysis and packet logging on Internet Protocol (IP) networks. Snort performs protocol analysis, content searching, and content matching. The program can also be used to detect probes or attacks, including, but not limited to, operating system fingerprinting attempts, common gateway interface, buffer overflows, server message block probes, and stealth port scans.

Snort can be configured in three main modes: sniffer, packet logger, and network intrusion detection. In intrusion detection mode, the program will monitor network traffic and analyze it against a rule set defined by the user. Sourcefire Vulnerability Research Team distributes official rules for Snort. While most of these rules are written in the typical rule description language, some rules are written in C, compiled and distributed as shared libraries. As Snort performs protocol analysis, the Snort rules are capable of processing various network protocols such Server Message Block (SMB).

Server Message Block (SMB), also known as Common Internet File System (CIFS) operates as an application-layer network protocol mainly used for providing shared access to files, printers, serial ports, and miscellaneous communications between nodes on a network. SMB connections can either be directly sent over TCP or be encapsulated as NetBIOS payload. An SMB (Server Message Block) packet contains an SMB Header which has the following structure:

 SMB Header Offset Size Field ------------------------------------------------------------------------ 0x00   4    Server Component (xff SMB) 0x04   1    SMB Command: Trans (0x25) 0x05   4    NT Status 0x09   1    Flags (bit:0 = Request/Response) 0x0A   2    Flags2 0x0C   2    PID High 0x0E   8    Signature 0x16   2    Reserved 0x18   2    Tree ID 0x1A   2    Process ID 0x1C   2    User ID 0x1D   2    Multiplex ID 

There is an Snort rule 3:20257 distributed as a precompiled binary by Sourcefire. A stack based buffer overflow vulnerability has been identified in this rule. An attacker can exploit this vulnerability to cause a stack buffer overflow which would allow for arbitrary code injection and execution with the privileges of Snort, by default administrative.

Dell SonicWALL UTM team has researched this vulnerability and released the following signature addressing it:

  • 9563 Sourcefire Snort DCE-RPC Preprocessor Buffer Overflow 6

This vulnerability has not been assigned a Common Vulnerabilities and Exposures (CVE) identifier.

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.