SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Generic)  >   Tcpdump Vendors:   Tcpdump.org
tcpdump RADIUS print_attr_string() Parameter Overflow Lets Remote Users Crash the Process
SecurityTracker Alert ID:  1008735
SecurityTracker URL:  http://securitytracker.com/id/1008735
CVE Reference:   CAN-2004-0055   (Links to External Site)
Updated:  Jan 16 2004
Original Entry Date:  Jan 16 2004
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 3.8.1
Description:   A vulnerability was reported in tcpdump in the processing of RADIUS packets. A remote user can cause the target tcpdump process to crash.

Jonathan Heusser reported that there is a flaw in 'print-radius.c' in the print_attr_string() function, where the 'length' and 'data' parameters are not properly validated. The report also indicates that there is a flaw in the radius_attr_print() function, where an upper limit for the 'rad_attr->len' is not defined.

A remote user can send a specially crafted RADIUS packet to cause the target process to crash.
Impact:   A remote user can crash the tcpdump process.
Solution:   The vendor has released a fix, available via CVS (see: http://cvs.tcpdump.org/cgi-bin/cvsweb/tcpdump/print-radius.c).
Vendor URL:  www.tcpdump.org/ (Links to External Site)
Cause:   Boundary error, Input validation error
Underlying OS:   Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Jan 16 2004 (Red Hat Issues Fix for RH Enterprise Linux) tcpdump RADIUS print_attr_string() Parameter Overflow Lets Remote Users Crash the Process   (bugzilla@redhat.com)
Red Hat has released a fix for Red Hat Enterprise Linux 2.1 and 3.
Jan 16 2004 (Trustix Issues Fix) tcpdump RADIUS print_attr_string() Parameter Overflow Lets Remote Users Crash the Process   (Trustix Security Advisor <tsl@trustix.org>)
Trustix has released a fix.
Jan 17 2004 (Debian Issues Fix) tcpdump RADIUS print_attr_string() Parameter Overflow Lets Remote Users Crash the Process   (Matt Zimmerman <mdz@debian.org>)
Debian has released a fix.
Jan 23 2004 (Turbolinux Issues Fix) tcpdump RADIUS print_attr_string() Parameter Overflow Lets Remote Users Crash the Process   (Turbolinux <security-announce@turbolinux.co.jp>)
Turbolinux has issued a fix.
Jan 27 2004 (Mandrake Issues Fix) tcpdump RADIUS print_attr_string() Parameter Overflow Lets Remote Users Crash the Process   (Mandrake Linux Security Team <security@linux-mandrake.com>)
Mandrake has released a fix.
Feb 24 2004 (Apple Issues Fix) tcpdump RADIUS print_attr_string() Parameter Overflow Lets Remote Users Crash the Process   (Apple Product Security <product-security@apple.com>)
Apple has released Security Update 2004-02-23.
Mar 5 2004 (SCO Issues Fix for OpenLinux) tcpdump RADIUS print_attr_string() Parameter Overflow Lets Remote Users Crash the Process   (please_reply_to_security@sco.com)
SCO has issued a fix for OpenLinux 3.1.1.
Mar 5 2004 (Red Hat Issues Fix for Fedora) tcpdump RADIUS print_attr_string() Parameter Overflow Lets Remote Users Crash the Process   (Harald Hoyer <harald@redhat.com>)
Red Hat has released a fix for Fedora Linux.
Jul 29 2004 (SCO Issues Fix for UnixWare) tcpdump RADIUS print_attr_string() Parameter Overflow Lets Remote Users Crash the Process   (please_reply_to_security@sco.com)
SCO has issued a fix for UnixWare.


 Source Message Contents
Date:  Fri, 16 Jan 2004 00:47:19 -0500
Subject:  http://marc.theaimsgroup.com/?l=tcpdump-workers&m=107325073018070&w=2


Subject:    [tcpdump-workers] multiple vulnerabilities in tcpdump 3.8.1
From:       Jonathan Heusser <jonny () drugphish ! ch>
Date:       2004-01-04 21:23:42

Hello,

beside the l2tp vulnerability mentioned on this list this month, I found
two other locations in the code
which an attacker could use to crash, or in the worst case exploit,
tcpdump.

The first critical piece of code is found in print-isakmp.c:332. The
function rawprint() does not
check its arguments thus it's easy for an attacker to pass a big 'len'
or a bogus 'loc' leading to a
segmentation fault in the for loop.
rawprint() gets called at various places in print-isakmp.c.

The second bug is located in print-radius.c:471. The for loop of
print_attr_string() is written in an
unsafe manner. 'length' and 'data' should be checked.
print_attr_string() is called via a function pointer from
radius_attr_print() line 784 where no upper bound
for 'rad_attr->len' is defined. This leads to a segmentation fault aswell.

Both vulnerbilities were tested against tcpdump 3.8.1, libpcap 0.7.1 and
linux.


Thanks,
Jonathan Heusser

-- 
Key fingerprint = 2A55 EB7C B7EA 6336 7767  4A47 910A 307B 1333 BD6C


-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:tcpdump-workers-request@tcpdump.org?body=unsubscribe


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2013, SecurityGlobal.net LLC