Vigil@nce - Snort: buffer overflow of Sourcefire VRT Rules
February 2013 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
When the administrator installed Sourcefire VRT Rules, and enabled
the rule "3:20275", an attacker can use the DCE RPC
EnumeratePrintShares function, in order to trigger an overflow in
Snort, which may lead to code execution.
Impacted products: Snort
Severity: 2/4
Creation date: 21/01/2013
DESCRIPTION OF THE VULNERABILITY
The rule "3:20275" of Sourcefire VRT Rules detects the
vulnerability CVE-2009-0228 (VIGILANCE-VUL-8778). This
vulnerability is related to an overflow in EnumeratePrintShares,
which lists print shares. This rule is not enabled by default.
This rule is implemented in the rule20275eval() function of the
so_rules/src/netbios_kb961501-smb-printss-reponse.c file. This
function checks if the number of entries in the
EnumeratePrintShares message is not greater than 20, however it
uses an array of 10 slots to store it. An attacker can therefore
send a message containing between 11 and 20 entries, in order to
trigger a buffer overflow.
When the administrator installed Sourcefire VRT Rules, and enabled
the rule "3:20275", an attacker can therefore use the DCE RPC
EnumeratePrintShares function, in order to trigger an overflow in
Snort, which may lead to code execution.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Snort-buffer-overflow-of-Sourcefire-VRT-Rules-12343