Related information

Multiple tcpdump / ethereal sniffers vulnerabilities

Another tcpdump BGP infinite loop vulnerability (CAN-2005- 1267)

remote root security bug in ethereal 0.9.13 >= and <= 0.10.10

[SecurityLab] Ethereal 0.10.10 SIP Dissector Overflow

[NEWS] Ethereal Protocol Dissectors Buffer Overflow Vulnerabilities

From:	Ejovi Nuwere <ejovi_(at)_securitylab.net>
Date:	10.05.2005
Subject:	[Full-disclosure] [SecurityLab] Ethereal 0.10.10 SIP Dissector Overflow

Advisory Name: Ethereal 0.10.10 SIP Dissector Overflow
Release Date: 05/07/05
 Application: Ethereal 0.10.10 and Prior
    Platform: Multiple
    Severity: A remote attacker can execute arbitrary commands
      Author: Ejovi Nuwere <ejovi{AT}securitylab.net>
Vendor Status: Vendor has published patch  
   Reference: http://www.securitylab.net/ethereal-0-10-10.txt


Overview:

Ethereal is a popular open source network sniffer. It has the ability to
inspect and dissect more then 600 protocols. Ethereal is used by network
professionals around the world for troubleshooting, analysis, software
and protocol development, and education. It runs on all popular
computing platforms, including Unix, Linux, and Windows.

SecurityLab Technologies has discovered a exploitable overflow in
Ethereal's SIP dissector resulting from the strcpy() of a overly long
string into a fixed buffer.

To exploit this vulnerability an attacker does not need to know the
location of the sniffing Ethereal. As long as the hostile packet is
directed at the network being observed by the victim.

Successful exploitation of this vulnerability will lead to execution of
arbitrary commands on a system running the sniffer with the privileges
of the user running Ethereal.


Details:

The overflow occurs while parsing the value of cseq_method, the
guilty code can be found in Packet-sip.c

/* Extract method name from value */
for (value_offset = 0; value_offset < (gint)strlen(value);
value_offset++)
       {
               if (isalpha((guchar)value[value_offset]))
               {
                       strcpy(cseq_method,value+value_offset);
                       break;
               }

value is controlled by the attacker and cseq_method is a fixed
buffer:
char    cseq_method[16] = "";


Vendor Status:

The Ethereal development team has released a patched version of
Ethereal (0.10.11) which can be downloaded from:
http://ethereal.com/download.html


Special thanks:
Tim Newsham for:
       1) Being one of the smartest people we know.
       2) His assistance in debugging this vulnerability.



Disclamer:

The contents of this advisory are copyright (c) 2005 SecurityLab
Technologies and may be distributed freely provided that no fee
is charged for this distribution and proper credit is given.

About SecurityLab
SecurityLab Technologies Inc. provides security services for government
agencies and corporations requiring expert assistance with technology
threat management. The company is headquartered in Boston, MA, more
information about SecurityLab is available at, www.securitylab.net


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/