Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Sourcefire VRT rules update addresses remote stack buffer overflow in rule 3:20275 - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Sourcefire VRT rules update addresses remote stack buffer overflow in rule 3:20275

Sourcefire VRT released a rules update on 17 JAN that included what they refer to as "a potential security issue with rule 3:20275 reported by Tavis Ormandy."

Tavis' Tweet states that "today's snort rules fix a remote stack buffer overflow I found in rule 20275. Fixed by @sourcefire in just 48hrs. http://bit.ly/STm7Ij"

Fast turnaround by the Sourcefire gang. Here's the diff for the fix:

Compare: (<)D:\so_rules\src\netbios_kb961501-smb-printss-reponse.c (10885 bytes) with: (>)D:\so_rules\src\netbios_kb961501-smb-printss-reponse.c (10923 bytes)

Change 1:
<        2, /* revision */
---
>        3, /* revision */

Change 2:
> #define NUM_ARRAYS 20

Change 3:
<     u_int8_t check_array[10];
---
>     u_int8_t check_array[NUM_ARRAYS];

Change 4:
<     if(arrays > 20) {
---
>     if(arrays > NUM_ARRAYS) {

Russ McRee | @holisticinfosec

Russ McRee

181 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!