tcpdump RADIUS print_attr_string() Parameter Overflow Lets Remote Users Crash the Process
SecurityTracker Alert ID: 1008735|
SecurityTracker URL: http://securitytracker.com/id/1008735
(Links to External Site)
Updated: Jan 16 2004|
Original Entry Date: Jan 16 2004
Denial of service via network|
Fix Available: Yes Vendor Confirmed: Yes |
A vulnerability was reported in tcpdump in the processing of RADIUS packets. A remote user can cause the target tcpdump process to crash.|
Jonathan Heusser reported that there is a flaw in 'print-radius.c' in the print_attr_string() function, where the 'length' and 'data' parameters are not properly validated. The report also indicates that there is a flaw in the radius_attr_print() function, where an upper limit for the 'rad_attr->len' is not defined.
A remote user can send a specially crafted RADIUS packet to cause the target process to crash.
A remote user can crash the tcpdump process.|
The vendor has released a fix, available via CVS (see: http://cvs.tcpdump.org/cgi-bin/cvsweb/tcpdump/print-radius.c).|
Vendor URL: www.tcpdump.org/ (Links to External Site)
Boundary error, Input validation error|
|Underlying OS: Linux (Any), UNIX (Any)|
This archive entry has one or more follow-up message(s) listed below.|
Source Message Contents
Date: Fri, 16 Jan 2004 00:47:19 -0500|
Subject: [tcpdump-workers] multiple vulnerabilities in tcpdump 3.8.1
From: Jonathan Heusser <jonny () drugphish ! ch>
Date: 2004-01-04 21:23:42
beside the l2tp vulnerability mentioned on this list this month, I found
two other locations in the code
which an attacker could use to crash, or in the worst case exploit,
The first critical piece of code is found in print-isakmp.c:332. The
function rawprint() does not
check its arguments thus it's easy for an attacker to pass a big 'len'
or a bogus 'loc' leading to a
segmentation fault in the for loop.
rawprint() gets called at various places in print-isakmp.c.
The second bug is located in print-radius.c:471. The for loop of
print_attr_string() is written in an
unsafe manner. 'length' and 'data' should be checked.
print_attr_string() is called via a function pointer from
radius_attr_print() line 784 where no upper bound
for 'rad_attr->len' is defined. This leads to a segmentation fault aswell.
Both vulnerbilities were tested against tcpdump 3.8.1, libpcap 0.7.1 and
Key fingerprint = 2A55 EB7C B7EA 6336 7767 4A47 910A 307B 1333 BD6C
This is the TCPDUMP workers list. It is archived at
To unsubscribe use mailto:email@example.com?body=unsubscribe