Snort Bug Exploit Shows Up

A working exploit for last week's Snort vulnerability has been released, a security vendor said Wednesday, but any attack should be short-lived and probably feeble.

The vulnerability in Snort, an open-source intrusion detection system (IDS) used by more than 100,000 companies and government agencies to defend networks, was unveiled last Wednesday, and simultaneously patched. Because Snort's ubiquitous in enterprises -- and used in nearly four dozen commercial IDS products -- experts cautioned companies to patch as soon as possible, because and exploit might spread very quickly, and resemble some of the worst worms ever, including 2003's Slammer.

According to a bulletin issued by Symantec, an exploit targeting Snort running on Linux with the 2.6 kernel has been published by The Hacker's Choice (THC); Symantec's research team has also confirmed that the exploit works.

Not all is doom and gloom, however.

"The return addresses used by the exploit will probably only bind the shell on a limited number of systems; causing a denial of service condition on others," read Symantec's warning.

"It required system specific return addresses to be supplied to successfully exploit the vulnerability," Symantec said.