SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Wireshark Vendors:   Wireshark.org
(SCO Issues Fix for OpenLinux) Ethereal Flaws in DCERPC, OSI, and Other Dissectors May Let Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1008226
SecurityTracker URL:  http://securitytracker.com/id/1008226
CVE Reference:   CVE-2003-0428, CVE-2003-0429, CVE-2003-0430, CVE-2003-0431, CVE-2003-0432   (Links to External Site)
Updated:  Dec 4 2003
Original Entry Date:  Nov 18 2003
Impact:   Denial of service via network, Execution of arbitrary code via network, Root access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 0.9.12
Description:   Several security vulnerabilities were reported in the Ethereal network sniffer. A remote user may be able to crash the sniffer or execute arbitrary code.

It is reported that some of the Ethereal protocol dissectors contain flaws in allocating memory and parsing strings.

The DCERPC dissector reportedly allocates too much memory in some cases when decoding a Network Data Representation (NDR) string. The OSI dissector reportedly contains a buffer overflow that can be triggered by invalid IPv4 or IPv6 prefix lengths. The SPNEGO dissector can be crashed when parsing an invalid ASN.1 value.

It is also reported that the tvb_get_nstringz0() function does not properly accommodate a zero-length buffer size and that the BGP, WTP, DNS, 802.11, ISAKMP, WSP, CLNP, ISIS, and RMI dissectors do not properly handle certain strings.

It is reported that a remote user can create specially crafted packets that will trigger these flaws when the sniffer is operating or when Ethereal reads captured packet traces from a file.

The vendor credits Timo Sirainen and others with reporting these flaws.

Impact:   A remote user can cause the sniffer to crash or to execute arbitrary code with the privileges of the Ethereal process (potentially with root privileges).
Solution:   SCO has released a fix for OpenLinux.

OpenLinux 3.1.1 Server:

Package Location

ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2003-030.0/RPMS

Packages

9c5039a96d35a4bb91cddfa40adb7e2c ethereal-0.9.13-1.i386.rpm

Installation

rpm -Fvh ethereal-0.9.13-1.i386.rpm

Source Package Location

ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2003-030.0/SRPMS

Source Packages

991395b4b4bcf0375e7dfe6a09108faf ethereal-0.9.13-1.src.rpm


OpenLinux 3.1.1 Workstation:

Package Location

ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2003-030.0/RPMS

Packages

9d87667d906a624fc6e05434187941c1 ethereal-0.9.13-1.i386.rpm

Installation

rpm -Fvh ethereal-0.9.13-1.i386.rpm

Source Package Location

ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2003-030.0/SRPMS

Source Packages

391d94b691aee0b3194583675c400cd7 ethereal-0.9.13-1.src.rpm

Vendor URL:  www.ethereal.com/appnotes/enpa-sa-00010.html (Links to External Site)
Cause:   Boundary error, Input validation error
Underlying OS:  Linux (Caldera/SCO)
Underlying OS Comments:  OpenLinux 3.1.1

Message History:   This archive entry is a follow-up to the message listed below.
Jun 13 2003 Ethereal Flaws in DCERPC, OSI, and Other Dissectors May Let Remote Users Execute Arbitrary Code



 Source Message Contents

Subject:  OpenLinux: Multiple vulnerabilities have reported in Ethereal 0.9.12



To: announce@lists.caldera.com bugtraq@securityfocus.com full-disclosure@lists.netsys.com security-alerts@linuxsecurity.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 
______________________________________________________________________________

			SCO Security Advisory

Subject:		OpenLinux: Multiple vulnerabilities have reported in Ethereal 0.9.12
Advisory number: 	CSSA-2003-030.0
Issue date: 		2003 November 07
Cross reference: 	sr883585 fz528203 erg712398 CAN-2003-0428 CAN-2003-0429 CAN-2003-0430 CAN-2003-0431 CAN-2003-0432
______________________________________________________________________________


1. Problem Description

	Multiple vulnerabilities have reported in Ethereal 0.9.12. 
	
	Ethereal is a freely available network protocol analyzer for 
	Microsoft Windows and multiple Unix-based operating systems. 
	
	Ethereal versions 0.9.12 and earlier are vulnerable to multiple 
	issues. The Vulnerabilities are: 
	
	1. The DCERPC dissector could try to allocate too much memory 
	while trying to decode an NDR string. The Common Vulnerabilities 
	and Exposures project (cve.mitre.org) has assigned the following 
	name CAN-2003-0428 to this issue. 
	
	2. Bad IPv4 or IPv6 prefix lengths could cause an overflow in the 
	OSI dissector. The Common Vulnerabilities and Exposures project 
	(cve.mitre.org) has assigned the following name CAN-2003-0429 to 
	this issue. 
	
	3. The SPNEGO dissector could segfault while parsing an invalid 
	ASN.1 value. The Common Vulnerabilities and Exposures project 
	(cve.mitre.org) has assigned the following name CAN-2003-0430 
	to this issue. 
	
	4. The tvb_get_nstringz0() routine incorrectly handled a zero-
	length buffer size. The Common Vulnerabilities and Exposures 
	project (cve.mitre.org) has assigned the following name 
	CAN-2003-0431 to this issue. 
	
	5. The BGP, WTP, DNS, 802.11, ISAKMP, WSP, CLNP, ISIS, and RMI 
	dissectors handled strings improperly. The Common Vulnerabilities 
	and Exposures project (cve.mitre.org) has assigned the following 
	name CAN-2003-0432 to this issue. 
	
	POTENTIAL IMPACT 
	It may be possible to make Ethereal crash or run arbitrary code
	by injecting a purposefully malformed packet onto the wire,
	or by convincing someone to read a malformed packet trace file.

2. Vulnerable Supported Versions

	System				Package
	-------------------------------------------------------------------
	OpenLinux 3.1.1 Server		prior to ethereal-0.9.13-1.i386.rpm
	OpenLinux 3.1.1 Workstation	prior to ethereal-0.9.13-1.i386.rpm

3. Solution

	The proper solution is to install the latest packages. Many
	customers find it easier to use the Caldera System Updater, called
	cupdate (or kcupdate under the KDE environment), to update these
	packages rather than downloading and installing them by hand.

4. OpenLinux 3.1.1 Server

	4.1 Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2003-030.0/RPMS

	4.2 Packages

	9c5039a96d35a4bb91cddfa40adb7e2c	ethereal-0.9.13-1.i386.rpm

	4.3 Installation

	rpm -Fvh ethereal-0.9.13-1.i386.rpm

	4.4 Source Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2003-030.0/SRPMS

	4.5 Source Packages

	991395b4b4bcf0375e7dfe6a09108faf	ethereal-0.9.13-1.src.rpm


5. OpenLinux 3.1.1 Workstation

	5.1 Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2003-030.0/RPMS

	5.2 Packages

	9d87667d906a624fc6e05434187941c1	ethereal-0.9.13-1.i386.rpm

	5.3 Installation

	rpm -Fvh ethereal-0.9.13-1.i386.rpm

	5.4 Source Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2003-030.0/SRPMS

	5.5 Source Packages

	391d94b691aee0b3194583675c400cd7	ethereal-0.9.13-1.src.rpm


6. References

	Specific references for this advisory:
		http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0428	
		http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0429
		http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0430
		http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0431
		http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0432

	SCO security resources:
		http://www.sco.com/support/security/index.html

	This security fix closes SCO incidents sr883585 fz528203
	erg712398.


7. Disclaimer

	SCO is not responsible for the misuse of any of the information
	we provide on this website and/or through our security
	advisories. Our advisories are a service to our customers intended
	to promote secure installation and use of SCO products.

______________________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAj+sNhQACgkQbluZssSXDTEZMwCfUH9bcXlH1HwcxpnZp2+wIWvx
CCEAoKkO/by2uLsop7CdEmSE2zvXUY/A
=T8Uu
-----END PGP SIGNATURE-----


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC