SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Generic)  >  Ethereal Vendors:  Ethereal.com
Ethereal RADIUS Attribute Parsing Null Pointer Dereference Lets Remote Users Deny Service
SecurityTracker Alert ID:  1009558
CVE Reference:  CAN-2004-0365   (Links to External Site)
Date:  Mar 26 2004
Impact:  Denial of service via network
Fix Available:  Yes   Vendor Confirmed:  Yes  
Version(s): 0.8.13 - 0.10.2
Description:  A vulnerability was reported in Ethereal in the processing of RADIUS packet attributes. A remote user can cause the Ethereal process to crash.

Jonathan Heusser reported that a remote user can send a specially crafted packet to trigger a null pointer dereference, causing the application to crash. The flaw reportedly resides in the dissect_attribute_value_pairs() function in the 'packet-radius.c' file.

The report indicates that it may be possible to execute arbitrary code.
Impact:  A remote user can cause the application to crash.
Solution:  The vendor has released a fixed version (0.10.3), available at:

http://www.ethereal.com/download.html

The vendor's advisory is available at:

http://www.ethereal.com/appnotes/enpa-sa-00013.html
Vendor URL:  www.ethereal.com/appnotes/enpa-sa-00013.html (Links to External Site)
Cause:  Boundary error, State error
Underlying OS:  Linux (Any), UNIX (Any)
Reported By:  jonny@drugphish.ch (Jonathan Heusser)
Message History:   This archive entry has one or more follow-up message(s) listed below.
Mar 29 2004 (Gentoo Issues Fix) Ethereal RADIUS Attribute Parsing Null Pointer Dereference Lets Remote Users Deny Service   (klieber@gentoo.org)
Gentoo has released a fix.
Apr 1 2004 (Mandrake Issues Fix) Ethereal RADIUS Attribute Parsing Null Pointer Dereference Lets Remote Users Deny Service   (Mandrake Linux Security Team <security@linux-mandrake.com>)
Mandrake has released a fix.
Apr 1 2004 (Red Hat Issues Fix for RH Enterprise Linux) Ethereal RADIUS Attribute Parsing Null Pointer Dereference Lets Remote Users Deny Service   (bugzilla@redhat.com)
Red Hat has released a fix for Red Hat Enterprise Linux 2.1 and 3.
Apr 1 2004 (Red Hat Issues Fix for RH Linux) Ethereal RADIUS Attribute Parsing Null Pointer Dereference Lets Remote Users Deny Service   (bugzilla@redhat.com)
Red Hat has released a fix for Red Hat Linux 9.
Apr 1 2004 (Conectiva Issues Fix) Ethereal RADIUS Attribute Parsing Null Pointer Dereference Lets Remote Users Deny Service   (Conectiva Updates <secure@conectiva.com.br>)
Conectiva has released a fix.


 Source Message Contents
Date:  Fri, 19 Mar 2004 01:07:09 +0800 (CST)
From:  jonny@drugphish.ch (Jonathan Heusser)
Subject:  [Ethereal-dev] ethereal radius dissector vulnerability

 

Hello,

during an audit I found a vulnerability in the radius dissector of
ethereal version 0.10.2
(and probably prior to aswell).
This bug allows a remote attacker to cause at least a denial of service
attack. The execution of
arbitrary code could be possible..


The problem is located in the function dissect_attribute_value_pairs of
packet-radius.c:

If you manage to create a packet which causes the find_radius_attr_info
call on line 2600 to return NULL,
and at the same time having avph.avp_length set to 2, then ethereal will
fail while
calling proto_tree_add_text on line 2608. More precisely while accessing
attr_info->str.

...
(2600)    attr_info = find_radius_attr_info(avph.avp_type, radius_attrib);
               if (avph.avp_length < 2) {
                    if (tree) {
(2608)            proto_tree_add_text(tree, tvb, offset, avph.avp_length,
                          "t:%s(%u) l:%u (length not >= 2)",
                          attr_info->str, avph.avp_type, avph.avp_length);
                    }
...

A possible fix for this would be to bail out when find_radius_attr_info
returns NULL, though this might
not be the best solution.

Thank you,
Jonathan Heusser

-- 
Key fingerprint = 2A55 EB7C B7EA 6336 7767  4A47 910A 307B 1333 BD6C

_______________________________________________
Ethereal-dev mailing list
Ethereal-dev@ethereal.com
http://www.ethereal.com/mailman/listinfo/ethereal-dev


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2004, SecurityGlobal.net LLC