SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Wireshark Vendors:   Wireshark.org
(Conectiva Issues Fix) Ethereal Flaws in DCERPC, OSI, and Other Dissectors May Let Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1007061
SecurityTracker URL:  http://securitytracker.com/id/1007061
CVE Reference:   CVE-2003-0428, CVE-2003-0429, CVE-2003-0430, CVE-2003-0431, CVE-2003-0432   (Links to External Site)
Updated:  Dec 4 2003
Original Entry Date:  Jun 25 2003
Impact:   Denial of service via network, Execution of arbitrary code via network, Root access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 0.9.12
Description:   Several security vulnerabilities were reported in the Ethereal network sniffer. A remote user may be able to crash the sniffer or execute arbitrary code.

It is reported that some of the Ethereal protocol dissectors contain flaws in allocating memory and parsing strings.

The DCERPC dissector reportedly allocates too much memory in some cases when decoding a Network Data Representation (NDR) string. The OSI dissector reportedly contains a buffer overflow that can be triggered by invalid IPv4 or IPv6 prefix lengths. The SPNEGO dissector can be crashed when parsing an invalid ASN.1 value.

It is also reported that the tvb_get_nstringz0() function does not properly accommodate a zero-length buffer size and that the BGP, WTP, DNS, 802.11, ISAKMP, WSP, CLNP, ISIS, and RMI dissectors do not properly handle certain strings.

It is reported that a remote user can create specially crafted packets that will trigger these flaws when the sniffer is operating or when Ethereal reads captured packet traces from a file.

The vendor credits Timo Sirainen and others with reporting these flaws.

Impact:   A remote user can cause the sniffer to crash or to execute arbitrary code with the privileges of the Ethereal process (potentially with root privileges).
Solution:   Conectiva has released a fix:

ftp://atualizacoes.conectiva.com.br/7.0/RPMS/ethereal-0.9.13-1U70_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/ethereal-0.9.13-1U70_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/ethereal-0.9.13-1U80_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/ethereal-common-0.9.13-1U80_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/ethereal-gtk-0.9.13-1U80_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/ethereal-utils-0.9.13-1U80_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/tethereal-0.9.13-1U80_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/SRPMS/ethereal-0.9.13-1U80_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/ethereal-0.9.13-27097U90_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/ethereal-common-0.9.13-27097U90_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/ethereal-gtk-0.9.13-27097U90_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/ethereal-utils-0.9.13-27097U90_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/tethereal-0.9.13-27097U90_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/SRPMS/ethereal-0.9.13-27097U90_1cl.src.rpm

Vendor URL:  www.ethereal.com/appnotes/enpa-sa-00010.html (Links to External Site)
Cause:   Boundary error, Input validation error
Underlying OS:  Linux (Conectiva)
Underlying OS Comments:  7.0, 8, 9

Message History:   This archive entry is a follow-up to the message listed below.
Jun 13 2003 Ethereal Flaws in DCERPC, OSI, and Other Dissectors May Let Remote Users Execute Arbitrary Code



 Source Message Contents

Subject:  [conectiva-updates] [CLA-2003:662] Conectiva Security Announcement - ethereal


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
CONECTIVA LINUX SECURITY ANNOUNCEMENT 
- --------------------------------------------------------------------------

PACKAGE   : ethereal
SUMMARY   : Several vulnerabilities
DATE      : 2003-06-25 17:06:00
ID        : CLA-2003:662
RELEVANT
RELEASES  : 7.0, 8, 9

- -------------------------------------------------------------------------

DESCRIPTION
 Ethereal[1] is a powerful network traffic analyzer with a graphical
 usr interface (GUI).
 
 This update announcement addresses several vulnerabilities[2,3] in
 ethereal versions <= 0.9.12. These vulnerabilities can be exploited
 by an attacker who can insert crafted packets in the wire being
 monitored by ethereal or make an user open a trace file with such
 packets inside. Successful exploitation of these vulnerabilities can
 lead to denial of service conditions and/or remote execution of
 arbitrary code.
 
 The following vulnerabilities have been fixed:
 
 - Denial of Service (DoS) in the DCERPC dissector when trying to
 decode a NDR string[4];
 - Buffer overflow in the OSI dissector when decoding IPv4 or IPv6
 prefixes[5];
 - Denial of Service (DoS) in the SPNEGO dissector when parsing an
 invalid ASN.1 value[6];
 - Memory handling error in the tvb_get_nstringz0() routine when
 handling a zero-length buffer size[7];
 - Handling string vulnerabilities in the BGP, WTP, DNS, 802.11,
 ISAKMP, WSP, CLNP, ISIS and RMI dissectors[8].
 
 The Common Vulnerabilities and Exposures (CVE) project has assigned
 the names CAN-2003-04{28,29,30,31,32} to these issues, respectively.


SOLUTION
 All ethereal users should upgrade their packages. 
 
 
 REFERENCES:
 1.http://www.ethereal.com
 2.http://www.ethereal.com/appnotes/enpa-sa-00010.html
 3.http://distro2.conectiva.com.br/bugzilla/show_bug.cgi?id=8687
 4.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0428
 5.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0429
 6.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0430
 7.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0431
 8.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0432


UPDATED PACKAGES
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/ethereal-0.9.13-1U70_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/ethereal-0.9.13-1U70_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/ethereal-0.9.13-1U80_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/ethereal-common-0.9.13-1U80_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/ethereal-gtk-0.9.13-1U80_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/ethereal-utils-0.9.13-1U80_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/tethereal-0.9.13-1U80_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/SRPMS/ethereal-0.9.13-1U80_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/ethereal-0.9.13-27097U90_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/ethereal-common-0.9.13-27097U90_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/ethereal-gtk-0.9.13-27097U90_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/ethereal-utils-0.9.13-27097U90_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/tethereal-0.9.13-27097U90_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/SRPMS/ethereal-0.9.13-27097U90_1cl.src.rpm


ADDITIONAL INSTRUCTIONS
 The apt tool can be used to perform RPM packages upgrades:

 - run:                 apt-get update
 - after that, execute: apt-get upgrade

 Detailed instructions reagarding the use of apt and upgrade examples 
 can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en

- -------------------------------------------------------------------------
All packages are signed with Conectiva's GPG key. The key and instructions
on how to import it can be found at 
http://distro.conectiva.com.br/seguranca/chave/?idioma=en
Instructions on how to check the signatures of the RPM packages can be
found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en

- -------------------------------------------------------------------------
All our advisories and generic update instructions can be viewed at
http://distro.conectiva.com.br/atualizacoes/?idioma=en

- -------------------------------------------------------------------------
Copyright (c) 2003 Conectiva Inc.
http://www.conectiva.com

- -------------------------------------------------------------------------
subscribe: conectiva-updates-subscribe@papaleguas.conectiva.com.br
unsubscribe: conectiva-updates-unsubscribe@papaleguas.conectiva.com.br
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE++gD042jd0JmAcZARAh44AKCMDCMGQ5E1ckHl43mGiuv8Vk2qSQCfb2zG
Twp5IXDHEXEW1N6pQRTedyA=
=WFav
-----END PGP SIGNATURE-----



 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, SecurityGlobal.net LLC