Wireshark (Ethereal) Format String Flaws, Off-by-one Errors, and Buffer Overflow May Let Remote Users Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1016532 |
|
SecurityTracker URL: http://securitytracker.com/id/1016532
|
|
CVE Reference:
CVE-2006-3627, CVE-2006-3628, CVE-2006-3629, CVE-2006-3630, CVE-2006-3631, CVE-2006-3632
(Links to External Site)
|
Updated: Aug 16 2006
|
Original Entry Date: Jul 19 2006
|
Impact:
Denial of service via network, Execution of arbitrary code via network, User access via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): 0.8.16 - 0.99.0
|
Description:
A vulnerability was reported in Wireshark/Ethereal. A remote user can execute arbitrary code on the target system. A remote user can cause denial of service conditions.
A format string oveflow exists in the ANSI MAP, Checkpoint FW-1, MQ, XML, and NTP dissectors. An off-by-one error exists in the NCP NMAS and NDPS dissectors. A buffer overflow exists in the NFS dissector.
A remote user can send specially crafted data to execute arbitrary code on the target system. The code will run with the privileges of the target service.
A memory allocation error exists in the MOUNT dissector. A remote user can cause the dissector to consume excessive memory on the target system.
A remote user can send specially crafted data to cause the SSH dissector to enter an infinite loop.
A specially crafted packet trace file can also trigger these vulnerabilities.
Ilja van Sprundel discovered these vulnerabilities.
|
Impact:
A remote user can execute arbitrary code on the target system.
A remote user can cause denial of service conditions.
|
Solution:
The vendor has issued a fixed version (0.99.2).
The Wireshark advisory is available at:
http://www.wireshark.org/security/wnpa-sec-2006-01.html
|
Vendor URL: www.wireshark.org/security/wnpa-sec-2006-01.html (Links to External Site)
|
Cause:
Boundary error
|
Underlying OS:
Linux (Any), UNIX (Any), Windows (Any)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Tue, 18 Jul 2006 23:44:53 -0400
Subject: Multiple problems in Ethereal versions 0.8.14 to 0.10.10
|
http://www.wireshark.org/security/wnpa-sec-2006-01.html
excerpt:
* The ANSI MAP dissector was vulnerable to a format string overflow. Versions affected: 0.10.0 to 0.99.0. CVE: CVE-2006-3628
* The Checkpoint FW-1 dissector was vulnerable to a format string overflow. Versions affected: 0.10.10 to 0.99.0. CVE: CVE-2006-3628
* The MQ dissector was vulnerable to a format string overflow. Versions affected: 0.10.4 to 0.99.0. CVE: CVE-2006-3628
* The XML dissector was vulnerable to a format string overflow. Versions affected: 0.10.13 to 0.99.0. CVE: CVE-2006-3628
* The MOUNT dissector could attempt to allocate large amounts of memory. Versions affected: 0.9.4 to 0.99.0. CVE: CVE-2006-3629
* The NCP NMAS and NDPS dissectors were susceptible to off-by-one errors. Versions affected: 0.9.7 to 0.99.0. CVE: CVE-2006-3630
* The NTP dissector was vulnerable to a format string overflow. Versions affected: 0.10.13 to 0.99.0. CVE: CVE-2006-3628
* The SSH dissector was vulnerable to an infinite loop. Versions affected: 0.9.10 to 0.99.0. CVE: CVE-2006-3631
* The NFS dissector may have been susceptible to a buffer overflow. Versions affected: 0.8.16 to 0.99.0. CVE: CVE-2006-3632
|
|
