lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Sat, 7 May 2005 21:08:38 -0400
From: "Ejovi Nuwere" <ejovi@...uritylab.net>
To: <bugtraq@...urityfocus.com>, <full-disclosure@...ts.grok.org.uk>
Subject: [SecurityLab] Ethereal 0.10.10 SIP Dissector
	Overflow



Advisory Name: Ethereal 0.10.10 SIP Dissector Overflow
 Release Date: 05/07/05
  Application: Ethereal 0.10.10 and Prior
     Platform: Multiple
     Severity: A remote attacker can execute arbitrary commands
       Author: Ejovi Nuwere <ejovi{AT}securitylab.net>
Vendor Status: Vendor has published patch  
    Reference: http://www.securitylab.net/ethereal-0-10-10.txt


Overview:

Ethereal is a popular open source network sniffer. It has the ability to
inspect and dissect more then 600 protocols. Ethereal is used by network
professionals around the world for troubleshooting, analysis, software
and protocol development, and education. It runs on all popular
computing platforms, including Unix, Linux, and Windows.

SecurityLab Technologies has discovered a exploitable overflow in
Ethereal's SIP dissector resulting from the strcpy() of a overly long
string into a fixed buffer.

To exploit this vulnerability an attacker does not need to know the
location of the sniffing Ethereal. As long as the hostile packet is
directed at the network being observed by the victim.

Successful exploitation of this vulnerability will lead to execution of
arbitrary commands on a system running the sniffer with the privileges
of the user running Ethereal.


Details:

The overflow occurs while parsing the value of cseq_method, the
guilty code can be found in Packet-sip.c

/* Extract method name from value */
for (value_offset = 0; value_offset < (gint)strlen(value);
value_offset++)
	{
		if (isalpha((guchar)value[value_offset]))
		{
			strcpy(cseq_method,value+value_offset);
			break;
		}

value is controlled by the attacker and cseq_method is a fixed
buffer:
char    cseq_method[16] = "";


Vendor Status:

The Ethereal development team has released a patched version of
Ethereal (0.10.11) which can be downloaded from:
http://ethereal.com/download.html


Special thanks:
Tim Newsham for:
	1) Being one of the smartest people we know.
	2) His assistance in debugging this vulnerability.



Disclamer:

The contents of this advisory are copyright (c) 2005 SecurityLab
Technologies and may be distributed freely provided that no fee
is charged for this distribution and proper credit is given.

About SecurityLab
SecurityLab Technologies Inc. provides security services for government
agencies and corporations requiring expert assistance with technology
threat management. The company is headquartered in Boston, MA, more
information about SecurityLab is available at, www.securitylab.net


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Powered by blists - more mailing lists