[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] [SecurityLab] Ethereal 0.10.10 SIP Dissector Overflow

To: <bugtraq@xxxxxxxxxxxxxxxxx>, <full-disclosure@xxxxxxxxxxxxxxxxx>
Subject: [Full-disclosure] [SecurityLab] Ethereal 0.10.10 SIP Dissector Overflow
From: "Ejovi Nuwere" <ejovi@xxxxxxxxxxxxxxx>
Date: Sat, 7 May 2005 21:08:38 -0400

Advisory Name: Ethereal 0.10.10 SIP Dissector Overflow
 Release Date: 05/07/05
  Application: Ethereal 0.10.10 and Prior
     Platform: Multiple
     Severity: A remote attacker can execute arbitrary commands
       Author: Ejovi Nuwere <ejovi{AT}securitylab.net>
Vendor Status: Vendor has published patch  
    Reference: http://www.securitylab.net/ethereal-0-10-10.txt


Overview:

Ethereal is a popular open source network sniffer. It has the ability to
inspect and dissect more then 600 protocols. Ethereal is used by network
professionals around the world for troubleshooting, analysis, software
and protocol development, and education. It runs on all popular
computing platforms, including Unix, Linux, and Windows.

SecurityLab Technologies has discovered a exploitable overflow in
Ethereal's SIP dissector resulting from the strcpy() of a overly long
string into a fixed buffer.

To exploit this vulnerability an attacker does not need to know the
location of the sniffing Ethereal. As long as the hostile packet is
directed at the network being observed by the victim.

Successful exploitation of this vulnerability will lead to execution of
arbitrary commands on a system running the sniffer with the privileges
of the user running Ethereal.


Details:

The overflow occurs while parsing the value of cseq_method, the
guilty code can be found in Packet-sip.c

/* Extract method name from value */
for (value_offset = 0; value_offset < (gint)strlen(value);
value_offset++)
        {
                if (isalpha((guchar)value[value_offset]))
                {
                        strcpy(cseq_method,value+value_offset);
                        break;
                }

value is controlled by the attacker and cseq_method is a fixed
buffer:
char    cseq_method[16] = "";


Vendor Status:

The Ethereal development team has released a patched version of
Ethereal (0.10.11) which can be downloaded from:
http://ethereal.com/download.html


Special thanks:
Tim Newsham for:
        1) Being one of the smartest people we know.
        2) His assistance in debugging this vulnerability.



Disclamer:

The contents of this advisory are copyright (c) 2005 SecurityLab
Technologies and may be distributed freely provided that no fee
is charged for this distribution and proper credit is given.

About SecurityLab
SecurityLab Technologies Inc. provides security services for government
agencies and corporations requiring expert assistance with technology
threat management. The company is headquartered in Boston, MA, more
information about SecurityLab is available at, www.securitylab.net


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: Re: [Full-disclosure] Bluetooth related security problem with Motorola E398 GSM phone
Next by Date: [Full-disclosure] phpbb 2.0.15 released - patches high critical vuln
Previous by thread: Re: [Full-disclosure] Bluetooth related security problem with Motorola E398 GSM phone
Next by thread: [Full-disclosure] phpbb 2.0.15 released - patches high critical vuln
Index(es):
- Date
- Thread