Bug 80582 (CVE-2005-1281)

Summary: VUL-0: CVE-2005-1281: tcpdump DoS
Product: [Novell Products] SUSE Security Incidents Reporter: Sebastian Krahmer <krahmer>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P5 - None CC: andreas.taschner, postadal, security-team, thomas
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: All   
Whiteboard: CVE-2005-1281: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: patches.tar.gz
tcpdump-bgp-infinite-loop2.patch
tcpdump-bgp-update-poc.c

Description Sebastian Krahmer 2005-04-27 09:22:11 UTC 
Date: Tue, 26 Apr 2005 17:24:51 -0400
From: Josh Bressers <bressers@redhat.com>
To: vendor-sec@lst.de
Subject: [vendor-sec] Two tcpdump DoS


There are two tcpdump DoS (what's the plural of DoS?)

http://www.securityfocus.com/archive/1/396932/2005-04-23/2005-04-29/0
http://www.securityfocus.com/archive/1/396930/2005-04-23/2005-04-29/0

In the event anyone hasn't seen these yet.

-- 
    JB
Comment 1 Sebastian Krahmer 2005-04-27 09:23:09 UTC 
======================================================
Candidate: CAN-2005-1278
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1278
Reference: BUGTRAQ:20050426 tcpdump[v3.8.x/v3.9.1]: ISIS, BGP, and LDP infinite
loop DOS exploits.
Reference: URL:http://www.securityfocus.com/archive/1/396932

The isis_print function, as called by isoclns_print, in tcpdump 3.9.1
and earlier allows remote attackers to cause a denial of service
(infinite loop) via a zero length, as demonstrated using a GRE packet.


======================================================
Candidate: CAN-2005-1279
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1279
Reference: BUGTRAQ:20050426 tcpdump[v3.8.x/v3.9.1]: ISIS, BGP, and LDP infinite
loop DOS exploits.
Reference: URL:http://www.securityfocus.com/archive/1/396932

tcpdump 3.8.3 and earlier allows remote attackers to cause a denial of
service (infinite loop) via a crafted (1) BGP packet, which is not
properly handled by RT_ROUTING_INFO, or (2) LDP packet, which is not
properly handled by the ldp_print function.


======================================================
Candidate: CAN-2005-1280
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1280
Reference: BUGTRAQ:20050426 tcpdump(/ethereal)[]: (RSVP) rsvp_print() infinite
loop DOS.
Reference: URL:http://www.securityfocus.com/archive/1/396930

The rsvp_print function in tcpdump 3.9.1 and earlier allows remote
attackers to cause a denial of service (infinite loop) via a crafted
RSVP packet of length 4.


======================================================
Candidate: CAN-2005-1281
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1281
Reference: BUGTRAQ:20050426 tcpdump(/ethereal)[]: (RSVP) rsvp_print() infinite
loop DOS.
Reference: URL:http://www.securityfocus.com/archive/1/396930

Ethereal 0.10.10 and earlier allows remote attackers to cause a denial
of service (infinite loop) via a crafted RSVP packet of length 4.
Comment 2 Sebastian Krahmer 2005-05-04 08:42:48 UTC 
Any news here? Was there a patch discussed on tcpdump list or website?
Comment 3 Marian Jancar 2005-05-16 17:15:44 UTC 
For 9.3, 9.2 and SLES9/9.1 fixed all, for 9.0, 8.2 and SLES8 only CAN-2005-1279
and a piece of CAN-2005-1278 not actualy related to LDP seems to apply, please
review the patches.
Comment 4 Marian Jancar 2005-05-16 17:17:55 UTC 
Created attachment 37179 [details]
patches.tar.gz

patches.tar.gz
Comment 5 Marian Jancar 2005-05-18 13:55:45 UTC 
packages submited
Comment 6 Ludwig Nussel 2005-05-19 11:58:52 UTC 
SM-Tracker-1215
Comment 7 Ludwig Nussel 2005-05-19 12:13:42 UTC 
did you write the patches yourself or are they taken from upstream?
Comment 8 Ludwig Nussel 2005-05-31 09:30:16 UTC 
Another similar bug in same code: 
 
Date: Tue, 31 May 2005 00:49:19 +0200                                                                                                  
From: "Simon L. Nielsen" <simon@FreeBSD.org>                                                                                           
To: vendor-sec@lst.de                                                                                                                  
Cc: Guy Harris <guy@alum.mit.edu>,                                                                                                     
        FreeBSD Security Team <security-team@FreeBSD.org>                                                                              
Subject: [vendor-sec] Another tcpdump BGP infinite loop vulnerability                                                                  
 
[I have CC'ed Guy Harris since he made the commit to tcpdump 3.9 which 
fixes this problem] 
 
Hello 
 
While working on the FreeBSD Security Advisory for the recent tcpdump 
issues (CAN-2005-1278, CAN-2005-1279, and CAN-2005-1280) I noticed 
that there is another similar infinite loop DoS vulnerability in the 
BGP handling code. 
 
The problem lies in bgp_update_print() in print-bgp.c around line 
1652, where the -1 return value from decode_prefix4() is not properly 
handled. 
 
This problem was fixed in tcpdump CVS repository in print-bgp.c 
v. 1.95 on May 5, but it hasn't gone to the tcpdump 3.8 branch, and 
hasn't been included in any of the vendor patch sets for earlier DoS 
vulnerabilities that I have seen. 
 
I have verified that the infinite loop indeed can be exploited against 
tcpdump 3.8.3 on FreeBSD, which included the patches for the already 
public DoS vulnerabilities, and against a Gentoo Linux with 
tcpdump-3.8.3-r2, which should be fixed according to GLSA-200505-06. 
 
I have attached my very ugly proof-of-concept exploit code (which is 
based on bgp4_update.c from libnet) and the patch which fixes the 
problem (based on part of print-bgp.c v. 1.95).  The proof-of-concept 
has been tested on FreeBSD using libnet 1.1.2.1. 
 
I have not made this public yet, but it is semi-public since it has 
been fixed in the public tcpdump CVS tree.  Personally I don't know if 
a (short) embargo is needed - I'm open to suggestions, but please 
don't publish this info until an embargo date (or no embargo) has been 
agreed on - thanks. 
 
This issue is similar to CAN-2005-1279, so I don't know if that CVE 
name should be used or a new one should to be assigned. 
 
I'm not on directly vendor-sec myself, so please keep me in CC. 
 
--                                                                                                                                     
Simon L. Nielsen                                                                                                                       
FreeBSD Security Team
Comment 9 Ludwig Nussel 2005-05-31 09:30:56 UTC 
Created attachment 38363 [details]
tcpdump-bgp-infinite-loop2.patch
Comment 10 Ludwig Nussel 2005-05-31 09:31:21 UTC 
Created attachment 38364 [details]
tcpdump-bgp-update-poc.c
Comment 11 Ludwig Nussel 2005-05-31 16:04:25 UTC 
CAN-2005-1267
Comment 12 Marian Jancar 2005-06-06 15:23:22 UTC 
taken from upstream and adapted to patch the older versions
Comment 13 Marian Jancar 2005-06-06 16:08:01 UTC 
submited fixes for 9.2 and 9.3, older distributions seem unaffected
Comment 14 Michael Schröder 2005-06-07 10:34:45 UTC 
OK, thanks. The SLEC version is missing, please submit also a patched version 
for /work/SRC/old-versions/8.1/SLEC/all/tcpdump.
Comment 15 Marcus Meissner 2005-06-07 11:01:20 UTC 
please coalesce both SLEC and UL1 version, they should not be different I 
think
Comment 16 Michael Schröder 2005-06-14 19:24:53 UTC 
OK. Done.
Comment 17 Marian Jancar 2005-06-22 15:49:11 UTC 
The patchinfo for SLEC is not neeccessary now, right?
Comment 18 Marcus Meissner 2005-06-22 15:52:08 UTC 
sles8-slec-i386 needs to be mentioned still, but no extra package is 
necessarey. 
 
btw, since this is just 1 package , you can write 2 patchinfos: 
1 for all maintained products (sles...) 
1 for all box products (x.x-i386/x.x-x856_64) 
 
btw, please priorize sudo higher than this issue.
Comment 19 Marian Jancar 2005-06-22 16:36:15 UTC 
*** Bug 91571 has been marked as a duplicate of this bug. ***
Comment 20 Thomas Biege 2005-06-27 08:02:21 UTC 
packages released
Comment 21 Thomas Biege 2009-10-13 21:19:45 UTC 
CVE-2005-1281: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)