Vulnerability Development mailing list archives
Ethereal v0.9.13 to v0.10.10 DISTCC Denial of Service Exploit (Buffer Overflow)
From: David Jungerson <david-jungerson () web de>
Date: Wed, 11 May 2005 12:59:36 +0200
From the original Ethereal Advisory on
http://ethereal.com/appnotes/enpa-sa-00019.html : `The DISTCC dissector was susceptible to a buffer overflow. Discovered by Ilja van Sprundel Versions affected: 0.9.13 to 0.10.10'. Just had a quick look at it, but the exploit is a classical signed vs. unsigned issue when providing the payload length in a DISTCC Packet (for example `SERR'). When providing a packet length of -1 (0xffffffff), the dissector utility routines copy the whole payload into a 255 bytes buffer, so this should be trivial to be exploited further. Sample `DoS-Exploit': # nc $SOME_SNIFFED_MACHINE 3632 | perl -e 'print "SERRffffffff" . "oxff" x 256' Please note, that the sniffed machine has to have port 3632 open. Since the DISTCC dissector is a application layer dissector, this may be exploited via all IP routed networks, for example the internet. Best Regards, Georg 'oxff' Wicherski http://www.mwcollect.org/
Current thread:
- Ethereal v0.9.13 to v0.10.10 DISTCC Denial of Service Exploit (Buffer Overflow) David Jungerson (May 11)