multiple vulnerabilities in tcpdump 3.8.1

[Jonathan Heusser <jonny () drugphish ch>]

Hello,

beside the l2tp vulnerability mentioned on this list this month, I found 
two other locations in the code
which an attacker could use to crash, or in the worst case exploit, 
tcpdump.

The first critical piece of code is found in print-isakmp.c:332. The 
function rawprint() does not
check its arguments thus it's easy for an attacker to pass a big 'len' 
or a bogus 'loc' leading to a
segmentation fault in the for loop.
rawprint() gets called at various places in print-isakmp.c.

The second bug is located in print-radius.c:471. The for loop of 
print_attr_string() is written in an
unsafe manner. 'length' and 'data' should be checked.
print_attr_string() is called via a function pointer from 
radius_attr_print() line 784 where no upper bound
for 'rad_attr->len' is defined. This leads to a segmentation fault aswell.

Both vulnerbilities were tested against tcpdump 3.8.1, libpcap 0.7.1 and 
linux.


Thanks,
Jonathan Heusser

--
Key fingerprint = 2A55 EB7C B7EA 6336 7767  4A47 910A 307B 1333 BD6C


-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe