SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Generic)  >   Tcpdump Vendors:   Tcpdump.org
Tcpdump Off-by-One Heap Overflow Lets Remote Users Deny Service
SecurityTracker Alert ID:  1017717
SecurityTracker URL:  http://securitytracker.com/id/1017717
CVE Reference:   CVE-2007-1218   (Links to External Site)
Updated:  Mar 7 2007
Original Entry Date:  Mar 2 2007
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 3.9.5
Description:   A vulnerability was reported in tcpdump. A remote user can cause denial of service conditions.

A remote user can send a specially crafted 802.11 frame to trigger an off-by-one heap overflow in the function parse_elements() function in 'print-802_11.c' and cause the process to crash.

Moritz Jodeit reported this vulnerability.

[Editor's note: The report did not indicate whether code execution is possible or not. Also, CVE indicates that the overflow may be stack-based.]

Impact:   A remote user can cause denial of service conditions.
Solution:   The vendor has issued a fix, available via CVS:

http://cvs.tcpdump.org/cgi-bin/cvsweb/tcpdump/print-802_11.c?r1=1.42&r2=1.43

The tcpdump_3_9 branch also contains the fix.

Vendor URL:  www.tcpdump.org/ (Links to External Site)
Cause:   Boundary error
Underlying OS:   Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Nov 7 2007 (Red Hat Issues Fix) Tcpdump Off-by-One Heap Overflow Lets Remote Users Deny Service   (bugzilla@redhat.com)
Red Hat has released a fix for Red Hat Enterprise Linux 5.
Nov 16 2007 (Red Hat Issues Fix) Tcpdump Off-by-One Heap Overflow Lets Remote Users Deny Service   (bugzilla@redhat.com)
Red Hat has released a fix for Red Hat Enterprise Linux 4.
Jun 26 2009 (NetBSD Issues Fix) Tcpdump Off-by-One Heap Overflow Lets Remote Users Deny Service
NetBSD has issued a fix for NetBSD 4.0.



 Source Message Contents

Date:  Thu, 1 Mar 2007 13:59:23 +0100
Subject:  [Full-disclosure] tcpdump: off-by-one heap overflow in 802.11

There's an off-by-one heap-overflow in the ieee802.11 printer,
which can be triggered by a maliciously crafted 802.11 frame.
The link type must have been explicitly specified for this to
work.

The function parse_elements() in print-802_11.c checks the
length pbody->tim.length from the frame for too small values in
line 265, but then uses the wrong variable in the following
range check in line 267. Since pbody->tim.length is defined as
a u_int8_t it can hold a maximum value of 255, which in turn
would copy 252 bytes into pbody->tim.bitmap, which is only
251 bytes of size.

253	case E_TIM:
254		/* Present, possibly truncated */
255		pbody->tim_status = TRUNCATED;
256		if (!TTEST2(*(p + offset), 2))
257			return;
258		memcpy(&pbody->tim, p + offset, 2);
259		offset += 2;
260		if (!TTEST2(*(p + offset), 3))
261			return;
262		memcpy(&pbody->tim.count, p + offset, 3);
263		offset += 3;
264
265		if (pbody->tim.length <= 3)
266			break;
267		if (pbody->rates.length > sizeof pbody->tim.bitmap)
268			return;
269		if (!TTEST2(*(p + offset), pbody->tim.length - 3))
270			return;
271		memcpy(pbody->tim.bitmap, p + (pbody->tim.length - 3),
272		    (pbody->tim.length - 3))

The current tcpdump release 3.9.5 is still vulnerable.
This got fixed [1] in CVS Head and in the tcpdump_3_9 branch.

[1] http://cvs.tcpdump.org/cgi-bin/cvsweb/tcpdump/print-802_11.c?r1=1.42&r2=1.43

Best,
Moritz Jodeit

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC