SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Wireshark Vendors:   Wireshark.org
Ethereal Flaws in DCERPC, OSI, and Other Dissectors May Let Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1006974
SecurityTracker URL:  http://securitytracker.com/id/1006974
CVE Reference:   CVE-2003-0428, CVE-2003-0429, CVE-2003-0430, CVE-2003-0431, CVE-2003-0432   (Links to External Site)
Updated:  Dec 4 2003
Original Entry Date:  Jun 13 2003
Impact:   Denial of service via network, Execution of arbitrary code via network, Root access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 0.9.12
Description:   Several security vulnerabilities were reported in the Ethereal network sniffer. A remote user may be able to crash the sniffer or execute arbitrary code.

It is reported that some of the Ethereal protocol dissectors contain flaws in allocating memory and parsing strings.

The DCERPC dissector reportedly allocates too much memory in some cases when decoding a Network Data Representation (NDR) string. The OSI dissector reportedly contains a buffer overflow that can be triggered by invalid IPv4 or IPv6 prefix lengths. The SPNEGO dissector can be crashed when parsing an invalid ASN.1 value.

It is also reported that the tvb_get_nstringz0() function does not properly accommodate a zero-length buffer size and that the BGP, WTP, DNS, 802.11, ISAKMP, WSP, CLNP, ISIS, and RMI dissectors do not properly handle certain strings.

It is reported that a remote user can create specially crafted packets that will trigger these flaws when the sniffer is operating or when Ethereal reads captured packet traces from a file.

The vendor credits Timo Sirainen and others with reporting these flaws.

Impact:   A remote user can cause the sniffer to crash or to execute arbitrary code with the privileges of the Ethereal process (potentially with root privileges).
Solution:   The vendor has released a fixed version (0.9.13), available at:

http://www.ethereal.com/download.html

Vendor URL:  www.ethereal.com/appnotes/enpa-sa-00010.html (Links to External Site)
Cause:   Boundary error, Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Jun 24 2003 (Mandrake Issues Fix) Ethereal Flaws in DCERPC, OSI, and Other Dissectors May Let Remote Users Execute Arbitrary Code
Mandrake has released a fix.
Jun 25 2003 (Conectiva Issues Fix) Ethereal Flaws in DCERPC, OSI, and Other Dissectors May Let Remote Users Execute Arbitrary Code
Conectiva has released a fix.
Nov 18 2003 (SCO Issues Fix for OpenLinux) Ethereal Flaws in DCERPC, OSI, and Other Dissectors May Let Remote Users Execute Arbitrary Code
SCO has released a fix for OpenLinux 3.1.1.



 Source Message Contents

Subject:  Ethereal


http://www.ethereal.com/appnotes/enpa-sa-00010.html

Name: Several security problems in Ethereal 0.9.12
Docid: enpa-sa-00010

Date: June 11, 2003

Severity: High

DETAILS

Description:
Further source code auditing by Timo Sirainen has turned up several string handling flaws 
in various protocol dissectors. Separate security problems were discovered by other people:


The DCERPC dissector could try to allocate too much memory while trying to decode an NDR 
string.
Bad IPv4 or IPv6 prefix lengths could cause an overflow in the OSI dissector.
The SPNEGO dissector could segfault while parsing an invalid ASN.1 value.
The tvb_get_nstringz0() routine incorrectly handled a zero-length buffer size.
The BGP, WTP, DNS, 802.11, ISAKMP, WSP, CLNP, ISIS, and RMI dissectors handled strings 
improperly.
Impact:

It may be possible to make Ethereal crash or run arbitrary code by injecting a 
purposefully malformed packet onto the wire, or by convincing someone to read a malformed 
packet trace file.

Resolution:

Upgrade to 0.9.13.






 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC