the snort bo exploit

spoonfork



Wednesday, October 26. 2005

the snort bo exploit

RD (Red Dragon) of THC released the exploit for the Snort BackOrifice vulnerability discovered by Neel Mehta. (cool! a competitor looking for vulnerabilities in another competitor's product). it is a pretty easy exploit actually, and works on linux with 2.6 kernel. there's no exploit for FreeBSD yet.

question is, if you are running snort on linux, should you be concerned? or another question, if you are running sourcefire's snort appliance, should you be concerned? well, yes. but let's not play the blame game here. but i will. you are definitely lame whatever-certified system/network/security administrator if you run snort on linux without grsecurity. lamer, that who you are. lame lame lame.

and oh, if you have one of those sourcefire appliance boxes, good luck.

(oh wait, i know many people who deployed snort without grsec... i must have pissed a lot of friends by calling them lame)



Posted by at 12:51 | Comments (2) | Trackbacks (0)
Tag(s):
Related entries by tags:
Migrating from Wordpress to Serendipity
bashing the shell
Gimp.app: Fixing Random Crashes on OS X Leopard
Installing PostgreSQL 8.2.5 on Leopard
Leopard - First Glimpse

Trackbacks
Trackback specific URI for this entry

No Trackbacks

Comments
Display comments as (Linear | Threaded)

hi mel, without any disrespect, but I cant agree with you that the exploit for snort is easy. If you did work on the exploit by yourself before, you will see that snort bug is not trivial/easy to exploit. You can overwrite eip easily in some cases but harly in some cases depends on compiler option (have you tried with redhat snort-plain binary?). Even though eip is controlable, it is not easy for a reliable/working exploit (many people think that because they can overwrite eip with 0x41414141 in gdb, so it's easy for a really working exploit :-D). That's why many people were working on it, you couldn't see any working exploit for the bug after more than a week the bug released except a non-working exploit of HD Moore.
#1 xiaozhu on 2005-10-30 14:51 (Reply)
RD tu adik si Slash aka nullbyte, hahahaha
#2 il80r on 2005-10-30 00:05 (Reply)

Add Comment



Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA
 
 

About

This is the personal blog of Mel Mudin (spoonfork). All data and information provided on this site is for informational purposes and on an as-is basis.

This weblog does not represent the thoughts, intentions, plans or strategies of my employers. It is solely my opinion and views as a kambing biri-biri.

Feel free to challenge me, disagree with me, or even tell me that I am a kambing biri-biri wannabee in the comment section of each blog entry.

Quicksearch

Archives

September 2008
August 2008
July 2008
Recent...
Older...

Show tagged entries

Syndicate This Blog