Info

Disclosure

May 31, 2006

Discovery

May 17, 2006

Dates

Exploit

May 31, 2006

Solution

Unknown

Description

Snort contains a flaw that may allow a remote attacker to bypass IDS detection. The issue is triggered by adding a carriage return to the end of a URL, directly before the HTTP protocol declaration. It is possible that the flaw may allow bypass detection of "uricontent" rules resulting in a loss of integrity.

Classification

Location: Remote / Network Access
Attack Type: Input Manipulation
Impact: Loss of Integrity
Solution: Third-Party Solution
Exploit: Exploit Public
Disclosure: OSVDB Verified
OSVDB: Security Software

Solution

Currently, there are no known workarounds or upgrades to correct this issue. However, Demarc Threat Research Team has released an unofficial patch to address this vulnerability.

Products

Sourcefire, Inc.	Snort	2.4.0
		2.4.1
		2.4.2
		2.4.3
		2.4.4

References

Security Tracker: 1016191
Bugtraq ID: 18200
CVE ID: 2006-2769 (see also: NVD)
Secunia Advisory ID: 20413 20766
SCIP VulDB ID: 2276
VUPEN Advisory: ADV-2006-2119
Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-05/0706.html
http://archives.neohapsis.com/archives/dailydave/2006-q2/0187.html
http://archives.neohapsis.com/archives/dailydave/2006-q2/0188.html
http://marc.theaimsgroup.com/?l=snort-devel&m=114909074311462&w=2
Other Advisory URL: http://lists.suse.com/archive/suse-security-announce/2006-Jun/0008.html
http://www.demarc.com/support/downloads/patch_20060531
Vendor URL: http://www.snort.org/
Vendor Specific News/Changelog Entry: http://www.snort.org/pub-bin/snortnews.cgi#431
Keyword: IDS Intrusion Detection System

Credit

Blake Hartstein - bhartsteindemarc.com - Demarc Threat Research Team

Direct URL: http://osvdb.org/36218

Info

Disclosure

Discovery

Dates

Exploit

Solution

Description

Classification

Solution

Products

Sourcefire, Inc.

Snort

References

Credit