Monday, February 19, 2007

Snort Remote RPC 0day

Snort announced a vulnerability today in their SMB and DCE parser. Basically while reassembling some SMB traffic there was no bounds checking and a simple stack overflow was possible.

From the changelog:

2007-02-16 Steven Sturges
* src/dynamic-preprocessors/
* src/dynamic-preprocessors/dcerpc/smb_andx_decode.c:
* src/dynamic-preprocessors/dcerpc/dcerpc.c:
Add bounds checking to ReassembleSMBWriteX; use Safememcpy for calculated
length buffer copies.

Congrats to exploit ninja and my personal hero, Neel Mehta, for finding this.

Exploit and HEV should be available for customers in a few hours.

No comments: