Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: InfoSec Handlers Diary Blog - Sourcefire VRT rules update addresses remote stack buffer overflow in rule 3:20275 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Sourcefire VRT rules update addresses remote stack buffer overflow in rule 3:20275

Published: 2013-01-18
Last Updated: 2013-01-18 18:37:26 UTC
by Russ McRee (Version: 1)
0 comment(s)

Sourcefire VRT released a rules update on 17 JAN that included what they refer to as "a potential security issue with rule 3:20275 reported by Tavis Ormandy."

Tavis' Tweet states that "today's snort rules fix a remote stack buffer overflow I found in rule 20275. Fixed by @sourcefire in just 48hrs. http://bit.ly/STm7Ij"

Fast turnaround by the Sourcefire gang. Here's the diff for the fix:

Compare: (<)D:\so_rules\src\netbios_kb961501-smb-printss-reponse.c (10885 bytes) with: (>)D:\so_rules\src\netbios_kb961501-smb-printss-reponse.c (10923 bytes)

Change 1:
<        2, /* revision */
---
>        3, /* revision */

Change 2:
> #define NUM_ARRAYS 20

Change 3:
<     u_int8_t check_array[10];
---
>     u_int8_t check_array[NUM_ARRAYS];

Change 4:
<     if(arrays > 20) {
---
>     if(arrays > NUM_ARRAYS) {

Russ McRee | @holisticinfosec

0 comment(s)
Diary Archives