The attack could create a buffer overflow which exectuted a reverse telnet connection. Since the sniffing interface does not have an IP address the reverse telnet connection will be sent out the management interface. This is only a theory...but it could easly happen.
Neil Can someone from XForce please take the time to consider all aspects of this recently announced exploit? For example, organizations that have configured snort to run on a "stealth" interface only should not be impacted under any circumstances and therefore should not impetuously scramble to download and deploy the latest build. For example: The section "It is also not necessary to know the network location of a Snort sensor. Exploit packets can be sent to any portion of a network upon which a target Snort sensor is listening" "A successful attack can either crash the Snort sensor, or lead to complete remote compromise." Understandably this can potentially crash the snort daemon, cause the system to hang, or in a best case scenario generate a genuine buffer overflow and thereby render the system open to arbritary code. However, providing the intruder crafts a framgemented RPC packet and targets this at any asset on the known network where there also happens to be snort IDS system running in stealth mode. What possible advantage can the intruder have on following up with a attempting to take control of the compromised snort system? Additionally if snort if running in non-promiscuous mode, what are the possiblities of the intruder obtaining and highjacking a layer 2 address from the snort system? It may be advantageous to inform the public about the full scope of this exploit as well as any potential restrictions or drawbacks. Thanks Tim Slighter _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo
