CVE-2003-0081
CVSS7.5
发布时间 :2003-03-18 00:00:00
修订时间 :2008-09-05 16:33:25
NMCOS    

[原文]Format string vulnerability in packet-socks.c of the SOCKS dissector for Ethereal 0.8.7 through 0.9.9 allows remote attackers to execute arbitrary code via SOCKS packets containing format string specifiers.


[CNNVD]Ethereal SOCKS解析器格式串溢出漏洞(CNNVD-200303-061)

        
        Ethereal是一款免费开放源代码的网络协议分析程序,可使用在Unix和Windows操作系统下。
        Ethereal中的SOCKS解析器在处理畸形SOCKS包时存在漏洞,远程攻击者利用这个漏洞进行缓冲区溢出攻击,可能以Ethereal进程权限在系统上执行任意指令。
        问题发生在"packet-socks.c"中的910行中:
        -----
         proto_tree_add_text( tree, tvb, offset, linelen,
         format_text(data, linelen));
        ------
        由于没有对外部提供的数据做正确的检查,提交带有格式字符串的数据可导致堆栈内容被破坏,攻击者可以连接SOCKS服务器,发送恶意格式字符串数据给SOCKS服务器,如果Ethereal正在监视SOCKS网络中的所有包信息,就可以导致发生格式串溢出攻击,精心构建提交数据可能以Ethereal进程权限在系统上执行任意指令。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:ethereal_group:ethereal:0.9.8
cpe:/a:ethereal_group:ethereal:0.9.7
cpe:/a:ethereal_group:ethereal:0.9.0
cpe:/a:ethereal_group:ethereal:0.9.3
cpe:/a:ethereal_group:ethereal:0.9.1
cpe:/a:ethereal_group:ethereal:0.9.2
cpe:/a:ethereal_group:ethereal:0.9.9
cpe:/a:ethereal_group:ethereal:0.9.4
cpe:/a:ethereal_group:ethereal:0.9.5
cpe:/a:ethereal_group:ethereal:0.9.6
cpe:/a:ethereal_group:ethereal:0.8.18

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:54Ethereal SOCKS String Format Vulnerability
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0081
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0081
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200303-061
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/7049
(VENDOR_ADVISORY)  BID  7049
http://www.guninski.com/etherre.html
(VENDOR_ADVISORY)  MISC  http://www.guninski.com/etherre.html
http://www.ethereal.com/appnotes/enpa-sa-00008.html
(VENDOR_ADVISORY)  CONFIRM  http://www.ethereal.com/appnotes/enpa-sa-00008.html
http://www.debian.org/security/2003/dsa-258
(VENDOR_ADVISORY)  DEBIAN  DSA-258
http://xforce.iss.net/xforce/xfdb/11497
(UNKNOWN)  XF  ethereal-socks-format-string(11497)
http://www.redhat.com/support/errata/RHSA-2003-077.html
(UNKNOWN)  REDHAT  RHSA-2003:077
http://www.redhat.com/support/errata/RHSA-2003-076.html
(UNKNOWN)  REDHAT  RHSA-2003:076
http://www.novell.com/linux/security/advisories/2003_019_ethereal.html
(UNKNOWN)  SUSE  SuSE-SA:2003:019
http://www.linuxsecurity.com/advisories/gentoo_advisory-2949.html
(UNKNOWN)  GENTOO  GLSA-200303-10
http://seclists.org/lists/fulldisclosure/2003/Mar/0080.html
(UNKNOWN)  FULLDISC  20030308 Ethereal format string bug, yet still ethereal much better than windows
http://frontal2.mandriva.com/security/advisories?name=MDKSA-2003:051
(UNKNOWN)  MANDRAKE  MDKSA-2003:051
http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000627
(UNKNOWN)  CONECTIVA  CLSA-2003:627

- 漏洞信息

Ethereal SOCKS解析器格式串溢出漏洞
高危 边界条件错误
2003-03-18 00:00:00 2005-05-13 00:00:00
远程  
        
        Ethereal是一款免费开放源代码的网络协议分析程序,可使用在Unix和Windows操作系统下。
        Ethereal中的SOCKS解析器在处理畸形SOCKS包时存在漏洞,远程攻击者利用这个漏洞进行缓冲区溢出攻击,可能以Ethereal进程权限在系统上执行任意指令。
        问题发生在"packet-socks.c"中的910行中:
        -----
         proto_tree_add_text( tree, tvb, offset, linelen,
         format_text(data, linelen));
        ------
        由于没有对外部提供的数据做正确的检查,提交带有格式字符串的数据可导致堆栈内容被破坏,攻击者可以连接SOCKS服务器,发送恶意格式字符串数据给SOCKS服务器,如果Ethereal正在监视SOCKS网络中的所有包信息,就可以导致发生格式串溢出攻击,精心构建提交数据可能以Ethereal进程权限在系统上执行任意指令。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * Georgi Guninski提供如下第三方补丁:
        ------------------
        --- packet-socks.c.orig 2002-08-29 03:40:03.000000000 +0300
        +++ packet-socks.c 2003-02-25 15:52:14.000000000 +0200
        @@ -908,7 +908,7 @@
         linelen = lineend - data;
         proto_tree_add_text( tree, tvb, offset, linelen,
        - format_text(data, linelen));
        + "",format_text(data, linelen));
         offset += linelen;
         data = lineend;
         }
        ------------------
        厂商补丁:
        Ethereal Group
        --------------
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        Ethereal Group Upgrade ethereal-0.9.10.tar.gz
        
        http://www.ethereal.com/distribution/ethereal-0.9.10.tar.gz

- 漏洞信息

4466
Ethereal SOCKS Dissector Format String Overflow
Local / Remote, Context Dependent Input Manipulation
Loss of Integrity

- 漏洞描述

Unknown or Incomplete

- 时间线

2003-03-07 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 0.9.10 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

- 漏洞信息

Ethereal SOCKS Dissector Format String Vulnerability
Boundary Condition Error 7049
Yes No
2003-03-08 12:00:00 2009-07-11 08:06:00
Discovery of this vulnerability credited to Georgi Guninski.

- 受影响的程序版本

RedHat Linux Advanced Work Station 2.1
RedHat Enterprise Linux WS 2.1
RedHat Enterprise Linux ES 2.1
Red Hat Enterprise Linux AS 2.1
Ethereal Group Ethereal 0.9.9
+ Mandriva Linux Mandrake 9.1 ppc
+ Mandriva Linux Mandrake 9.1
Ethereal Group Ethereal 0.9.8
+ RedHat Linux 9.0 i386
+ RedHat Linux 8.0 i386
+ RedHat Linux 8.0
+ RedHat Linux 7.3 i386
+ RedHat Linux 7.3
+ RedHat Linux 7.2 ia64
+ RedHat Linux 7.2 i386
+ RedHat Linux 7.2
+ Terra Soft Solutions Yellow Dog Linux 3.0
Ethereal Group Ethereal 0.9.7
Ethereal Group Ethereal 0.9.6
+ Conectiva Linux Enterprise Edition 1.0
Ethereal Group Ethereal 0.9.5
Ethereal Group Ethereal 0.9.4
+ Conectiva Linux 8.0
+ Conectiva Linux 7.0
+ Conectiva Linux 6.0
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
Ethereal Group Ethereal 0.9.3
+ RedHat Linux 7.3 i386
+ RedHat Linux 7.3
+ RedHat Linux 7.2 i386
+ RedHat Linux 7.2 alpha
+ RedHat Linux 7.1 ia64
+ RedHat Linux 7.1 i386
+ RedHat Linux 7.1 alpha
+ RedHat Linux 7.0 sparc
+ RedHat Linux 7.0 i386
+ RedHat Linux 7.0 alpha
+ RedHat Linux 6.2 sparc
+ RedHat Linux 6.2 i386
+ RedHat Linux 6.2 alpha
Ethereal Group Ethereal 0.9.2
Ethereal Group Ethereal 0.9.1
- Compaq Tru64 5.0
- Debian Linux 2.2 sparc
- Debian Linux 2.2 powerpc
- Debian Linux 2.2 IA-32
- Debian Linux 2.2 arm
- Debian Linux 2.2 alpha
- Debian Linux 2.2 68k
- HP HP-UX 11.0
- IBM AIX 5.1
- Linux kernel 2.4
- Microsoft Windows 2000 Professional
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows 98SE
- Microsoft Windows ME
- Microsoft Windows NT Workstation 4.0
- NetBSD NetBSD 1.5
- OpenBSD OpenSSH 3.0
- SCO Unixware 7.0
- SGI IRIX 6.0
- Sun Solaris 8_sparc
Ethereal Group Ethereal 0.9
Ethereal Group Ethereal 0.8.18
- RedHat Linux 7.2 ia64
- RedHat Linux 7.2 i386
- RedHat Linux 7.2
Ethereal Group Ethereal 0.9.10
+ Conectiva Linux 9.0

- 不受影响的程序版本

Ethereal Group Ethereal 0.9.10
+ Conectiva Linux 9.0

- 漏洞讨论

A format string vulnerability has been reported in some versions of the SOCKS dissector for Ethereal.

An attacker can exploit this vulnerability by connecting to a vulnerable SOCKS server and sending malicious format string specifiers to the SOCKS server. If Ethereal is being used as a security tool to monitor network packets, it is possible that sensitive memory may be corrupted.

This has been confirmed to result in a denial of service condition. Additionally, it may be possible to cause Ethereal to execute malicious attacker-supplied code.

- 漏洞利用

Exploits have been provided. Further information is available in the referenced Web pages.

- 解决方案

Red Hat has released a security advisory (RHSA-2003:077-13) containing fixes which address this and other issues with ethereal. See referenced advisory for further details on obtaining and applying fixes.

SuSE has released a security advisory (SuSE-SA:2003:019) which contains fixes for this issue. Users are advised to upgrade as soon as possible.

Debian have released a security advisory (DSA 258-1) which contains fixes for this issue. Users are advised to upgrade as soon as possible.

Gentoo Linux has released an advisory (200303-10). Users who have installed
net-analyzer/ethereal are advised to upgrade to ethereal-0.9.10 by issuing the
following commands:

emerge sync
emerge ethereal
emerge clean

Red Hat has released a security advisory (RHSA-2003:076-01) containing fixes which address this and other issues with ethereal. users are advised to upgrade as soon as possible.

Fixes available:


Ethereal Group Ethereal 0.8.18

Ethereal Group Ethereal 0.9

Ethereal Group Ethereal 0.9.1

Ethereal Group Ethereal 0.9.2

Ethereal Group Ethereal 0.9.3

Ethereal Group Ethereal 0.9.4

Ethereal Group Ethereal 0.9.5

Ethereal Group Ethereal 0.9.6

Ethereal Group Ethereal 0.9.7

Ethereal Group Ethereal 0.9.8

Ethereal Group Ethereal 0.9.9

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站