Ethereal Network Sniffer Has Multiple Bugs That May Allow Remote Users to Send Packets to Execute Arbitrary Code or Cause the Sniffer to Hang or Crash
SecurityTracker Alert ID: 1004344|
SecurityTracker URL: http://securitytracker.com/id/1004344
CAN-2002-0012, CAN-2002-0013, CAN-2002-0353, CAN-2002-0401, CAN-2002-0402, CAN-2002-0403, CAN-2002-0404
(Links to External Site)
Date: May 21 2002
Denial of service via network, Execution of arbitrary code via network, Root access via network|
Fix Available: Yes Vendor Confirmed: Yes |
Version(s): 0.9.3 and prior|
Several potential vulnerabilities have been reported in the Ethereal network sniffer. A remote user could cause the sniffer to crash or possibly execute arbitrary code.|
According to the vendor, there are several bugs in Ethereal that could be exploited by remote users. A remote user could send a specially crafted packet over the network that Ethereal is monitoring to trigger these vulnerabilities. These security holes can also be triggered when a local user opens a malformed packet trace file.
The bugs are reported to exist in the following components:
- SMB dissector; a remote user could dereference a NULL pointer in two cases.
- X11 dissector; a remote user could trigger a buffer while parsing keysyms.
- DNS dissector; a remote user could create a malformed packet to cause this module to enter an infinite loop.
- GIOP dissector; a remote user could cause this module to allocate large amounts of memory.
A remote user could cause Ethereal to hang or to crash or execute arbitrary code.|
The vendor has released a fixed version (0.9.4), available at:|
Vendor URL: www.ethereal.com/appnotes/enpa-sa-00004.html (Links to External Site)
Boundary error, State error|
Linux (Any), UNIX (Any), Windows (Any)|
This archive entry has one or more follow-up message(s) listed below.|
Source Message Contents
Date: Tue, 21 May 2002 13:51:40 -0400|
Subject: Potential issues with Ethereal 0.9.3
Name: Potential issues with Ethereal 0.9.3
Date: May 19, 2002
Four potential security issues have been discovered in Ethereal 0.9.3:
* The SMB dissector could potentially dereference a NULL pointer in
* The X11 dissector could potentially overflow a buffer while
* The DNS dissector could go into an infinite loop while reading a
* The GIOP dissector could potentially allocate large amounts of
No known exploits exist "in the wild" at the present time for any of
Versions prior to 0.9.3 are also subject to these bugs. In order to
determine which version of Ethereal you have installed, do one of the
* Load Ethereal and go to the Help->About Ethereal... menu item.
* From the command line run
(the "v" is lowercase").
Either action will display the the application version along with the
libraries that Ethereal and Tethereal are linked with. If version
"0.9.3" or prior is displayed, the application is susceptible.
It may be possible to make Ethereal crash or hang by injecting a
purposefully malformed packet onto the wire, or by convincing someone to
read a malformed packet trace file. It may be possible to make Ethereal
run arbitrary code by exploiting the buffer and pointer problems.
Upgrade to 0.9.4.
If you are running a version prior to 0.9.4, you can disable the
dissectors for each of these protocols by selecting Edit->Protocols...
and deselecting them from the list.