Ethereal Network Sniffer Buffer Overflow in Processing the ISIS Protocol May Let Remote Users Crash the Sniffer or Execute Arbitrary Code
SecurityTracker Alert ID: 1005092|
SecurityTracker URL: http://securitytracker.com/id/1005092
(Links to External Site)
Date: Aug 21 2002
Denial of service via network, Execution of arbitrary code via network, Root access via network|
Fix Available: Yes Vendor Confirmed: Yes |
Version(s): 0.9.5 and prior versions|
A buffer overflow vulnerability was reported in the Ethereal network sniffer in the ISIS protocol dissector. A remote user may be able to cause the sniffer to crash or possibly execute arbitrary code.|
It is reported that a remote user can inject a specially crafted and malformed packet (either over the network or via a packet trace file) to trigger the buffer overflow.
A remote user can cause Ethereal to crash. A remote user may be able to cause Ethereal to execute arbitrary code.|
The vendor has released a fixed version (0.9.6), available at:|
If you are running a version prior to 0.9.6, you can disable the ISIS protocol dissector by selecting Edit->Protocols... and deselecting "isis" from the list.
Vendor URL: www.ethereal.com/appnotes/enpa-sa-00006.html (Links to External Site)
Linux (Any), UNIX (Any), Windows (Any)|
Source Message Contents
Date: Wed, 21 Aug 2002 01:34:07 -0400|
Subject: Ethereal bug
This is a multi-part message in MIME format.
Content-Type: text/plain; charset=us-ascii
Content-Type: text/plain; charset=us-ascii;
Sniffing the glue that holds the Internet together
Search: __________ options
[ Application Notes | Summary | Details | Home ]
Name: Potential issue with Ethereal 0.9.5
Date: August 20, 2002
The ISIS protocol dissector in Ethereal 0.9.5 and earlier versions is
susceptible to a buffer overflow. In order to determine which version of
Ethereal you have installed, do one of the following:
* Load Ethereal and go to the Help->About Ethereal... menu item.
* From the command line run
(the "v" is lowercase").
Either action will display the the application version along with the
libraries that Ethereal and Tethereal are linked with. If version
"0.9.5" or prior is displayed, the application is susceptible.
It may be possible to make Ethereal crash or hang by injecting a
purposefully malformed packet onto the wire, or by convincing someone to
read a malformed packet trace file. It may be possible to make Ethereal
run arbitrary code by exploiting the buffer and pointer problems.
Upgrade to 0.9.6.
If you are running a version prior to 0.9.6, you can disable the ISIS
protocol dissector by selecting Edit->Protocols... and deselecting
"isis" from the list.
Support can be found on the ethereal-users[AT]ethereal.com mailing list.
For corrections/additions/suggestions for this page, please send email
Last modified: Tue, August 20 2002.