Ethereal Flaws in DCERPC, OSI, and Other Dissectors May Let Remote Users Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1006974 |
|
SecurityTracker URL: http://securitytracker.com/id/1006974
|
|
CVE Reference:
CVE-2003-0428, CVE-2003-0429, CVE-2003-0430, CVE-2003-0431, CVE-2003-0432
(Links to External Site)
|
Updated: Dec 4 2003
|
Original Entry Date: Jun 13 2003
|
Impact:
Denial of service via network, Execution of arbitrary code via network, Root access via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): 0.9.12
|
Description:
Several security vulnerabilities were reported in the Ethereal network sniffer. A remote user may be able to crash the sniffer or execute arbitrary code.
It is reported that some of the Ethereal protocol dissectors contain flaws in allocating memory and parsing strings.
The DCERPC dissector reportedly allocates too much memory in some cases when decoding a Network Data Representation (NDR) string. The OSI dissector reportedly contains a buffer overflow that can be triggered by invalid IPv4 or IPv6 prefix lengths. The SPNEGO dissector can be crashed when parsing an invalid ASN.1 value.
It is also reported that the tvb_get_nstringz0() function does not properly accommodate a zero-length buffer size and that the BGP, WTP, DNS, 802.11, ISAKMP, WSP, CLNP, ISIS, and RMI dissectors do not properly handle certain strings.
It is reported that a remote user can create specially crafted packets that will trigger these flaws when the sniffer is operating or when Ethereal reads captured packet traces from a file.
The vendor credits Timo Sirainen and others with reporting these flaws.
|
Impact:
A remote user can cause the sniffer to crash or to execute arbitrary code with the privileges of the Ethereal process (potentially with root privileges).
|
Solution:
The vendor has released a fixed version (0.9.13), available at:
http://www.ethereal.com/download.html
|
Vendor URL: www.ethereal.com/appnotes/enpa-sa-00010.html (Links to External Site)
|
Cause:
Boundary error, Input validation error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Subject: Ethereal
|
http://www.ethereal.com/appnotes/enpa-sa-00010.html
Name: Several security problems in Ethereal 0.9.12
Docid: enpa-sa-00010
Date: June 11, 2003
Severity: High
DETAILS
Description:
Further source code auditing by Timo Sirainen has turned up several string handling flaws
in various protocol dissectors. Separate security problems were discovered by other people:
The DCERPC dissector could try to allocate too much memory while trying to decode an NDR
string.
Bad IPv4 or IPv6 prefix lengths could cause an overflow in the OSI dissector.
The SPNEGO dissector could segfault while parsing an invalid ASN.1 value.
The tvb_get_nstringz0() routine incorrectly handled a zero-length buffer size.
The BGP, WTP, DNS, 802.11, ISAKMP, WSP, CLNP, ISIS, and RMI dissectors handled strings
improperly.
Impact:
It may be possible to make Ethereal crash or run arbitrary code by injecting a
purposefully malformed packet onto the wire, or by convincing someone to read a malformed
packet trace file.
Resolution:
Upgrade to 0.9.13.
|
|
