Title : Ethereal remote buffer overflow #2
Advisory ID : LSS-2005-03-05
Date : 2005-03-10
Advisory URL: : http://security.lss.hr/index.php?page=details&ID=LSS-2005-03-05
Impact : DoS and maybe possible code execution
Risk level : Medium
Vulnerability type : Remote
Vendors contacted : 10th March, 2005
---
===[ Overview
Ethereal is an application used by network professionals for troubleshooting,
analysis and education, as well as the software and protocol development.
Ethereal provides all the features that protocol analyzer should have.
Moreover, there are several extra features which other products do not support.
The license is open source, what allows networking community experts to add
enhancements. Ethereal also supports different platforms, including Unix, Linux,
and Windows.
===[ Vulnerability
We have discovered another vulnerability in one of Ethereal dissectors. This time
problem is in IAPP dissector. It is possible to overflow static buffer with
length value taken from network packet. Vulnerability itself is in dissect_pdus()
function.
Length is calculated from two guint8 variables in which first one is shifted to
left, and second is added to it, so it can be up to 65535. That length is later
used in loops that can be abused to overflow static buffer 'textbuffer[2000]'.
packet-iapp.c
-------------
static void
dissect_pdus(tvbuff_t *tvb, int offset, proto_tree *pdutree, int pdulen)
{
...
int len;
...
tvb_memcpy(tvb, (guint8 *)&pduhdr, offset, sizeof(e_pduhdr));
len = (((int)pduhdr.pdu_len_h) << 8) + pduhdr.pdu_len_l;
...
}
-------------
Vulnerable loop example in packet-iapp.c:
-----------------
pduval_to_str(int type, int len, tvbuff_t *tvb, int offset)
{
...
case IAPP_PDU_MSADDR:
mac = tvb_get_ptr(tvb, offset + 3, len);
for (z = 0; z < len; z++)
run += sprintf(run, "%s%02x", z ? ":" : "", mac[z]);
break;
...
}
----------------
Remote code execution depends on overflowed buffer environment, and maybe it
could be possible, but wasn't further investigated.
===[ Affected versions
All versions after IAPP dissector was added to CVS, including version 0.10.9.
PoC exploit for this vulnerability was tested with Ethereal 0.10.9 on Windows,
and Ethereal developer Guy Harris tested it on OS X.
===[ Fix
This vulnerability is fixed in latest Ethereal version 0.10.10, and can be
downloaded from http://www.ethereal.com/download.html.
===[ PoC Exploit
Proof of concept code can be downloaded at http://security.lss.hr/en/PoC
===[ Credits
Credits for this vulnerability goes to Leon Juranic <ljuranic (at) lss (dot) hr [email concealed]>.
LSS Security Advisory #LSS-2005-03-05
http://security.lss.hr
---
Title : Ethereal remote buffer overflow #2
Advisory ID : LSS-2005-03-05
Date : 2005-03-10
Advisory URL: : http://security.lss.hr/index.php?page=details&ID=LSS-2005-03-05
Impact : DoS and maybe possible code execution
Risk level : Medium
Vulnerability type : Remote
Vendors contacted : 10th March, 2005
---
===[ Overview
Ethereal is an application used by network professionals for troubleshooting,
analysis and education, as well as the software and protocol development.
Ethereal provides all the features that protocol analyzer should have.
Moreover, there are several extra features which other products do not support.
The license is open source, what allows networking community experts to add
enhancements. Ethereal also supports different platforms, including Unix, Linux,
and Windows.
===[ Vulnerability
We have discovered another vulnerability in one of Ethereal dissectors. This time
problem is in IAPP dissector. It is possible to overflow static buffer with
length value taken from network packet. Vulnerability itself is in dissect_pdus()
function.
Length is calculated from two guint8 variables in which first one is shifted to
left, and second is added to it, so it can be up to 65535. That length is later
used in loops that can be abused to overflow static buffer 'textbuffer[2000]'.
packet-iapp.c
-------------
static void
dissect_pdus(tvbuff_t *tvb, int offset, proto_tree *pdutree, int pdulen)
{
...
int len;
...
tvb_memcpy(tvb, (guint8 *)&pduhdr, offset, sizeof(e_pduhdr));
len = (((int)pduhdr.pdu_len_h) << 8) + pduhdr.pdu_len_l;
...
}
-------------
Vulnerable loop example in packet-iapp.c:
-----------------
pduval_to_str(int type, int len, tvbuff_t *tvb, int offset)
{
...
case IAPP_PDU_MSADDR:
mac = tvb_get_ptr(tvb, offset + 3, len);
for (z = 0; z < len; z++)
run += sprintf(run, "%s%02x", z ? ":" : "", mac[z]);
break;
...
}
----------------
Remote code execution depends on overflowed buffer environment, and maybe it
could be possible, but wasn't further investigated.
===[ Affected versions
All versions after IAPP dissector was added to CVS, including version 0.10.9.
PoC exploit for this vulnerability was tested with Ethereal 0.10.9 on Windows,
and Ethereal developer Guy Harris tested it on OS X.
===[ Fix
This vulnerability is fixed in latest Ethereal version 0.10.10, and can be
downloaded from http://www.ethereal.com/download.html.
===[ PoC Exploit
Proof of concept code can be downloaded at http://security.lss.hr/en/PoC
===[ Credits
Credits for this vulnerability goes to Leon Juranic <ljuranic (at) lss (dot) hr [email concealed]>.
===[ LSS Security Contact
LSS Security Team, <eXposed by LSS>
WWW : http://security.lss.hr
E-mail : security (at) LSS (dot) hr [email concealed]
Tel : +385 1 6129 775
[ reply ]