[<prev] [next>] [day] [month] [year] [list]
Message-ID: <000001c5536a$781e7d30$b2011eac@7B15E5403E9>
Date: Sat, 7 May 2005 21:08:38 -0400
From: "Ejovi Nuwere" <ejovi@...uritylab.net>
To: <bugtraq@...urityfocus.com>, <full-disclosure@...ts.grok.org.uk>
Subject: [SecurityLab] Ethereal 0.10.10 SIP Dissector
Overflow
Advisory Name: Ethereal 0.10.10 SIP Dissector Overflow
Release Date: 05/07/05
Application: Ethereal 0.10.10 and Prior
Platform: Multiple
Severity: A remote attacker can execute arbitrary commands
Author: Ejovi Nuwere <ejovi{AT}securitylab.net>
Vendor Status: Vendor has published patch
Reference: http://www.securitylab.net/ethereal-0-10-10.txt
Overview:
Ethereal is a popular open source network sniffer. It has the ability to
inspect and dissect more then 600 protocols. Ethereal is used by network
professionals around the world for troubleshooting, analysis, software
and protocol development, and education. It runs on all popular
computing platforms, including Unix, Linux, and Windows.
SecurityLab Technologies has discovered a exploitable overflow in
Ethereal's SIP dissector resulting from the strcpy() of a overly long
string into a fixed buffer.
To exploit this vulnerability an attacker does not need to know the
location of the sniffing Ethereal. As long as the hostile packet is
directed at the network being observed by the victim.
Successful exploitation of this vulnerability will lead to execution of
arbitrary commands on a system running the sniffer with the privileges
of the user running Ethereal.
Details:
The overflow occurs while parsing the value of cseq_method, the
guilty code can be found in Packet-sip.c
/* Extract method name from value */
for (value_offset = 0; value_offset < (gint)strlen(value);
value_offset++)
{
if (isalpha((guchar)value[value_offset]))
{
strcpy(cseq_method,value+value_offset);
break;
}
value is controlled by the attacker and cseq_method is a fixed
buffer:
char cseq_method[16] = "";
Vendor Status:
The Ethereal development team has released a patched version of
Ethereal (0.10.11) which can be downloaded from:
http://ethereal.com/download.html
Special thanks:
Tim Newsham for:
1) Being one of the smartest people we know.
2) His assistance in debugging this vulnerability.
Disclamer:
The contents of this advisory are copyright (c) 2005 SecurityLab
Technologies and may be distributed freely provided that no fee
is charged for this distribution and proper credit is given.
About SecurityLab
SecurityLab Technologies Inc. provides security services for government
agencies and corporations requiring expert assistance with technology
threat management. The company is headquartered in Boston, MA, more
information about SecurityLab is available at, www.securitylab.net
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists