lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20050308011624.GA29376@cecilija.zesoi.fer.hr>
Date: Tue, 8 Mar 2005 02:16:24 +0100
From: LSS Security <exposed@....hr>
To: bugtraq@...urityfocus.com
Subject: Ethereal remote buffer overflow


			LSS Security Advisory #LSS-2005-03-04
			       http://security.lss.hr

---

Title			:  Ethereal remote buffer overflow
Advisory ID		:  LSS-2005-03-04
Date			:  08.03.2005 
Advisory URL:		:  http://security.lss.hr/en/index.php?page=exp 
Impact			:  Stack overflow and possible code execution
Risk level		:  High 
Vulnerability type	:  Remote 
Vendors contacted	:  Yes

---




===[ Overview 

Ethereal is used by network professionals around the world for troubleshooting, 
analysis, software and protocol development, and education. It has all of the 
standard features  you would expect in a protocol analyzer, and several 
features not seen in any other product. Its open source license allows talented 
experts in the networking community to add enhancements. It runs on all popular 
computing platforms, including Unix, Linux, and Windows.



===[ Vulnerability

There is remote buffer overflow vulnerability in Ethereal dissector for 
CDMA2000 A11 packets. Vulnerability is located in dissect_a11_radius() function 
in packet-3g-a11.c used for RADIUS authentication dissection. Number of bytes 
that will be copied from packet to buffer in stack is taken from packet itself. 
16 bytes are reserved for that buffer, and string length can be up to 256 bytes 
(unsigned char), so is possible to overflow local variables and return address. 


packet-3g-a11.c:
----------------
#define MAX_STRVAL 16
...
dissect_a11_radius( tvbuff_t *tvb, int offset, proto_tree *tree, int app_len)
{
...
  size_t     radius_len;
  ...
  guchar     str_val[MAX_STRVAL]; 
  ...
  radius_len = tvb_get_guint8(tvb, offset + 1);
  ...
  strncpy(str_val, tvb_get_ptr(tvb,offset+2,radius_len-2), radius_len-2); 
...
}
----------------

A similar vulnerability was also found in same function few lines below where 
RADIUS attributes are copied to stack.

packet-3g-a11.c:
----------------
#define MAX_STRVAL 16
...
dissect_a11_radius( tvbuff_t *tvb, int offset, proto_tree *tree, int app_len)
{
...
  guint      attribute_len;
  ...
  guchar     str_val[MAX_STRVAL];
  ...
  attribute_len = tvb_get_guint8(tvb, offset + radius_offset + 1);
  ...
  case ATTR_TYPE_STR:
  strncpy(str_val,tvb_get_ptr(tvb,offset+radius_offset+2,attribute_len - 2),
         attribute_len - 2); 

...
}
----------------



===[ Affected versions

All versions after 3G-A11 dissector was added to CVS including latest 0.10.9.
Vulnerability was tested with latest Ethereal on Linux and Windows.



===[ Fix

It seems that that they have fixed that vulnerability just few days ago, 
and new version will probably be available soon from http://www.ethereal.com.



===[ PoC Exploit

Exploit is in attachment, and URL http://security.lss.hr/en/PoC/ 



===[ Credits

Credits for this vulnerability goes to Leon Juranic. 



===[ LSS Security Contact
 
 LSS Security Team, <eXposed by LSS>
 
 WWW    : http://security.lss.hr
 E-mail : security@....hr
 Tel	: +385 1 6129 775
  




View attachment "eth0day.c" of type "text/plain" (974 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ