Ethereal v0.9.13 to v0.10.10 DISTCC Denial of Service Exploit (Buffer Overflow)

[David Jungerson <david-jungerson () web de>]

> From the original Ethereal Advisory on
http://ethereal.com/appnotes/enpa-sa-00019.html : `The DISTCC dissector
was susceptible to a buffer overflow. Discovered by Ilja van Sprundel
Versions affected: 0.9.13 to 0.10.10'. Just had a quick look at it, but
the exploit is a classical signed vs. unsigned issue when providing the
payload length in a DISTCC Packet (for example `SERR'). When providing a
packet length of -1 (0xffffffff), the dissector utility routines copy
the whole payload into a 255 bytes buffer, so this should be trivial to
be exploited further.

Sample `DoS-Exploit':
# nc $SOME_SNIFFED_MACHINE 3632 | perl -e 'print "SERRffffffff" . "oxff"
x 256'

Please note, that the sniffed machine has to have port 3632 open. Since
the DISTCC dissector is a application layer dissector, this may be
exploited via all IP routed networks, for example the internet.

    Best Regards,
    Georg 'oxff' Wicherski


    http://www.mwcollect.org/