Threat Level: green Handler on Duty: Daniel Wesemann

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Snort BO status update

Published: 2005-10-20
Last Updated: 2005-10-20 05:27:33 UTC
by Kyle Haugsness (Version: 1)
0 comment(s)
Here is an update regarding the Snort Back Orifice pre-processor vulnerability...(Kyle Haugsness Oct. 20 05:30 UTC)

When this vulnerability was announced yesterday, I was curious to see how difficult this would be to exploit due to the widespread nature of Snort.  After doing a little research on the encryption method in Back Orifice, I was able to develop working exploit code in 2 hours.  Bad news!!  Of course, we aren't in the business of releasing exploits, so this code is staying private.  Now, it appears that HD Moore is very close to having exploit code working as a plugin to metasploit.  If we haven't said it loudly enough already, PLEASE UPGRADE your Snort sensors or disable the BO pre-processor if running the vulnerable versions of Snort 2.4 series.  I checked the 2.3.2 source tree today and it is not vulnerable.

How about defensive measures?  If you are running Snort and are able to upgrade, then the new version should detect the exploit attempt.  But I am working on two additional defensive tools.  The first is a Snort signature that should catch the exploit attempt.  This should be available real soon now (tm).

The second tool may prove to be much more valuable.  This tool is necessary because of the fact that the exploit can be triggered on any UDP port (except 31337) and that all Back Orifice traffic is encrypted.  I don't want to give away more information at this point, since it will help the exploit writers.  The tool is a standalone program that utilizes libpcap to sniff traffic and decode UDP traffic looking for the exploit.  It will be useful to folks that can't upgrade their Snort daemon to get the new detection it provides, but still want to see if they are being attacked.  Secondly, this will be useful to people running a different IDS system that can't decode the Back Orifice encryption.  Third, it will probably be very useful in identifying a global worm outbreak. 

Since time is of the essence here, I am hoping to have this tool available very shortly.  It will require libpcap and is being developed on Debian Linux.  It will not require Snort to be running.  Since code portability isn't my strong suit, we may be looking for people to test and port the code to FreeBSD, Solaris, etc.  Please drop us an e-mail if you would be willing to help in this area.  The source code is currently about 800 lines.



Keywords:
0 comment(s)
Diary Archives