Threat Level: green Handler on Duty: Manuel Humberto Santander Pelaez

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Sourcefire VRT rules update addresses remote stack buffer overflow in rule 3:20275

Published: 2013-01-18
Last Updated: 2013-01-18 18:37:26 UTC
by Russ McRee (Version: 1)
0 comment(s)

Sourcefire VRT released a rules update on 17 JAN that included what they refer to as "a potential security issue with rule 3:20275 reported by Tavis Ormandy."

Tavis' Tweet states that "today's snort rules fix a remote stack buffer overflow I found in rule 20275. Fixed by @sourcefire in just 48hrs. http://bit.ly/STm7Ij"

Fast turnaround by the Sourcefire gang. Here's the diff for the fix:

Compare: (<)D:\so_rules\src\netbios_kb961501-smb-printss-reponse.c (10885 bytes) with: (>)D:\so_rules\src\netbios_kb961501-smb-printss-reponse.c (10923 bytes)

Change 1:
<        2, /* revision */
---
>        3, /* revision */

Change 2:
> #define NUM_ARRAYS 20

Change 3:
<     u_int8_t check_array[10];
---
>     u_int8_t check_array[NUM_ARRAYS];

Change 4:
<     if(arrays > 20) {
---
>     if(arrays > NUM_ARRAYS) {

Russ McRee | @holisticinfosec

0 comment(s)
Diary Archives