|
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Ethereal Protocol Dissectors Buffer Overflow Vulnerabilities
------------------------------------------------------------------------
SUMMARY
<http://www.ethereal.com/> Ethereal is "a popular network protocol
analyzer".
More than fifty vulnerabilities were reported in Ethereal, which could be
exploited by remote attackers to cause a denial of service and potentially
execute arbitrary commands.
DETAILS
Vulnerable Systems:
* Ethereal versions 0.8.14 up to 0.10.10
Immune Systems:
* Ethereal version 0.10.11
It may be possible to make Ethereal crash, use up available memory, or run
arbitrary code by injecting a purposefully malformed packet onto the wire
or by convincing someone to read a malformed packet trace file.
Affected Dissectors:
* The ANSI A dissector was susceptible to format string vulnerabilities.
Discovered by Bryan Fulton. Versions affected: 0.9.15 to 0.10.10
* The GSM MAP dissector could crash. Versions affected: 0.10.0 to 0.10.10
* The AIM dissector could cause a crash. Versions affected: 0.9.14 to
0.10.10
* The DISTCC dissector was susceptible to a buffer overflow. Discovered
by Ilja van Sprundel Versions affected: 0.9.13 to 0.10.10
* The FCELS dissector was susceptible to a buffer overflow. Discovered by
Neil Kettle Versions affected: 0.9.9 to 0.10.10
* The SIP dissector was susceptible to a buffer overflow. Discovered by
Ejovi Nuwere. Versions affected: 0.10.0 to 0.10.10
* The KINK dissector was susceptible to a null pointer exception, endless
looping, and other problems. Versions affected: 0.10.10
* The LMP dissector was susceptible to an endless loop. Versions
affected: 0.9.4 to 0.10.10
* The Telnet dissector could abort. Versions affected: 0.9.10 to 0.10.10
* The TZSP dissector could cause a segmentation fault. Versions affected:
0.10.10 to 0.10.10
* The WSP dissector was susceptible to a null pointer exception and
assertions. Versions affected: 0.10.0 to 0.10.10
* The 802.3 Slow protocols dissector could throw an assertion. Versions
affected: 0.10.10
* The BER dissector could throw assertions. Versions affected: 0.10.2 to
0.10.10
* The SMB Mailslot dissector was susceptible to a null pointer exception
and could throw assertions. Versions affected: 0.9.0 to 0.10.10
* The H.245 dissector was susceptible to a null pointer exception.
Versions affected: 0.10.10
* The Bittorrent dissector could cause a segmentation fault. Versions
affected: 0.10.8 to 0.10.10
* The SMB dissector could cause a segmentation fault and throw
assertions. Versions affected: 0.9.0 to 0.10.10
* The Fibre Channel dissector could cause a crash. Versions affected:
0.9.9 to 0.10.10
* The DICOM dissector could attempt to allocate large amounts of memory.
Versions affected: 0.10.4 to 0.10.10
* The MGCP dissector was susceptible to a null pointer exception, could
loop indefinitely, and segfault. Versions affected: 0.8.14 to 0.10.10
* The RSVP dissector could loop indefinitely. Versions affected: 0.9.8 to
0.10.10
* The DHCP dissector was susceptible to format string vulnerabilities,
and could abort. Versions affected: 0.10.7 to 0.10.10
* The SRVLOC dissector could crash unexpectedly or go into an infinite
loop. Versions affected: 0.9.8 to 0.10.10
* The EIGRP dissector could loop indefinitely. Versions affected: 0.8.18
to 0.10.10
* The ISIS dissector could overflow a buffer. Versions affected: 0.8.18
to 0.10.10
* The CMIP, CMP, CMS, CRMF, ESS, OCSP, PKIX1Explitit, PKIX Qualified, and
X.509 dissectors could overflow buffers. Versions affected: 0.10.4 to
0.10.10
* The NDPS dissector could exhaust system memory or cause an assertion,
or crash. Versions affected: 0.9.12 to 0.10.10
* The Q.931 dissector could try to free a null pointer and overflow a
buffer. Versions affected: 0.10.10
* The IAX2 dissector could throw an assertion. Versions affected: 0.10.1
to 0.10.10
* The ICEP dissector could try to free the same memory twice. Versions
affected: 0.10.7 to 0.10.10
* The MEGACO dissector was susceptible to an infinite loop and a buffer
overflow. Versions affected: 0.9.14 to 0.10.10
* The DLSw dissector was susceptible to an infinite loop. Versions
affected: 0.9.1 to 0.10.10
* The RPC dissector was susceptible to a null pointer exception. Versions
affected: 0.9.2 to 0.10.10
* The NCP dissector could overflow a buffer or loop for a large amount of
time. Versions affected: 0.10.5 to 0.10.10
* The RADIUS dissector could throw an assertion. Versions affected:
0.10.3 to 0.10.10
* The GSM dissector could access an invalid pointer. Versions affected:
0.10.10
* The SMB PIPE dissector could throw an assertion. Versions affected:
0.9.0 to 0.10.10
* The L2TP dissector was susceptible to an infinite loop. Versions
affected: 0.10.9 to 0.10.10
* The SMB NETLOGON dissector could dereference a null pointer. Versions
affected: 0.9.12 to 0.10.10
* The MRDISC dissector could throw an assertion. Versions affected:
0.8.19 to 0.10.10
* The ISUP dissector could overflow a buffer or cause a segmentation
fault. Versions affected: 0.8.19 to 0.10.10
* The LDAP dissector could crash. Versions affected: 0.10.1 to 0.10.10
* The TCAP dissector could overflow a buffer or throw an assertion.
Versions affected: 0.10.8 to 0.10.10
* The NTLMSSP dissector could crash. Versions affected: 0.9.7 to 0.10.10
* The Presentation dissector could overflow a buffer. Versions affected:
0.10.1 to 0.10.10
* Additionally, a number of dissectors could throw an assertion when
passing an invalid protocol tree item length. Versions affected: 0.10.8 to
0.10.10
Exploit:
An exploit for one of these vulnerabilities has been reported earlier. For
more information see:
<http://www.securiteam.com/exploits/5DP0N20FFY.html> Multiple DoS
Vulnerabilities in TCPDUMP (RSVP Packet, LDP Packet, BGP Packet and GRE
Packet)
ADDITIONAL INFORMATION
The original article can be found at:
<http://www.ethereal.com/appnotes/enpa-sa-00019.html>
http://www.ethereal.com/appnotes/enpa-sa-00019.html
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
|
