>
> Multiple Vendor Ethereal srvloc Buffer Overflow Vulnerability
>
> iDEFENSE Security Advisory 10.20.05
> www.idefense.com/application/poi/display?id=323&type=vulnerabilities
> October 20, 2005
>
> I. BACKGROUND
>
> Ethereal is a full featured open source network protocol
> analyzer. For
> more information, see
>
> II. DESCRIPTION
>
> Remote exploitation of a buffer overflow vulnerability in the Service
> Location Protocol (srvloc) dissectors within Ethereal, as included in
> various vendors' operating system distributions, could allow
> attackers
> to crash the vulnerable process or execute arbitrary code.
>
> The vulnerable code follows:
>
> ./epan/dissectors/packet-srvloc.c:429
>
> static guint8*
> unicode_to_bytes(tvbuff_t *tvb, int offset, int length, gboolean
> endianness)
> {
> const char *ascii_text = tvb_get_ptr(tvb, offset, length);
> int i, j=0;
> guint8 c_char, c_char1;
> static guint8 byte_array[255];
>
> if (endianness) {
> ...
> }
> }
> else
> {
> for (i = 0; i < length; i++) {
> c_char = ascii_text[i];
> if (c_char != 0) {
> byte_array[j] = c_char;
> j++;
> }
> }
> }
>
> byte_array[j]=0;
> return byte_array;
> }
>
>
> This function is called with a user-controlled length value
> on line 581
> in the same file. This allows an attacker to cause an overflow of the
> byte_array array, as values greater than 255 may be specified. In lab
> analysis, it has been demonstrated that there are several interesting
> values beyond this array that make arbitrary code execution possible.
>
> To cause Ethereal to dissect an arbitrary packet with the srvloc
> dissector, the source or destination port must be set to TCP
> port 427,
> and the destination port must not be a port with any registered
> dissector. As Ethereal does not keep state, a single spoofed TCP data
> packet can be used to exploit this vulnerability, regardless
> of whether
> there are any ports listening on either end.
>
> III. ANALYSIS
>
> Exploitation could result in remote root access, as Ethereal
> must have
> root privileges to open a raw socket.
>
> Ethereal is often used by network administrators to debug network
> problems and compromise of a network administrators machine
> can lead to
> further compromise of the network.
>
> IV. DETECTION
>
> Ethereal versions 0.10.12 and earlier are reportedly vulnerable. The
> following vendors include susceptible Ethereal packages within their
> respective operating system distributions:
>
> The Debian Project: Debian GNU/Linux 3.0
> The FreeBSD Project: FreeBSD 5.4 and earlier
> Gentoo Foundation Inc.: Gentoo Linux 2004.0, 2004.1, 2004.2,
> 2004.3
> and 2005.0
> Mandriva SA: Mandriva Linux 10.1, 10.1 (x86_64),
> LE2005 and LE2005 (x86_64)
> Novell Inc.: SUSE Linux versions 9.0, 9.1, 9.2 and 9.3
> Red Hat Inc.: Fedora Core 3 and 4
> Red Hat Desktop (v. 3) Red Hat Desktop (v. 4)
> Red Hat Enterprise Linux AS (v. 2.1)
> Red Hat Enterprise Linux AS (v. 3)
> Red Hat Enterprise Linux AS (v. 4)
> Red Hat Enterprise Linux ES (v. 2.1)
> Red Hat Enterprise Linux ES (v. 3)
> Red Hat Enterprise Linux ES (v. 4)
> Red Hat Enterprise Linux WS (v. 2.1)
> Red Hat Enterprise Linux WS (v. 3)
> Red Hat Enterprise Linux WS (v. 4)
> Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor
>
> V. WORKAROUND
>
> When using Ethereal, use the following filter to disable port
> 427, and
> therefore, automatic srvloc dissection:
>
> not port 427
>
> VI. VENDOR RESPONSE
>
> The vendor has addressed this issue in ethereal 0.10.13, available for
> download at:
>
>
>
> VII. CVE INFORMATION
>
> The Common Vulnerabilities and Exposures (CVE) project has
> assigned the
> name CAN-2005-3184 to this issue. This is a candidate for inclusion in
> the CVE list (), which standardizes names for
> security problems.
>
> VIII. DISCLOSURE TIMELINE
>
> 10/12/2005 Initial vendor notification
> 10/12/2005 Initial vendor response
> 10/20/2005 Coordinated public disclosure
>
> IX. CREDIT
>
> The discoverer of this vulnerability wishes to remain anonymous.
>
> Get paid for vulnerability research
>
>
> Free tools, research and upcoming events
>
>
> X. LEGAL NOTICES
>
> Copyright (c) 2005 iDEFENSE, Inc.
>
> Permission is granted for the redistribution of this alert
> electronically. It may not be edited in any way without the express
> written consent of iDEFENSE. If you wish to reprint the whole or any
> part of this alert in any other medium other than
> electronically, please
> email customerservice@xxxxxxxxxxxx for permission.
>
> Disclaimer: The information in the advisory is believed to be accurate
> at the time of publishing based on currently available
> information. Use
> of the information constitutes acceptance for use in an AS IS
> condition.
> There are no warranties with regard to this information. Neither the
> author nor the publisher accepts any liability for any
> direct, indirect,
> or consequential loss or damage arising from use of, or reliance on,
> this information.
>
>
