CVE-2005-3651
CVSS7.5
发布时间 :2005-12-10 06:03:00
修订时间 :2011-03-07 21:26:55
NMCOPS    

[原文]Stack-based buffer overflow in the dissect_ospf_v3_address_prefix function in the OSPF protocol dissector in Ethereal 0.10.12, and possibly other versions, allows remote attackers to execute arbitrary code via crafted packets.


[CNNVD]Ethereal OSPF协议处理单元栈溢出漏洞(CNNVD-200512-198)

        Ethereal是一款开放源码的网络协议分析工具。
        Ethereal用于分析OSPF协议的组件中存在栈溢出漏洞,远程攻击者可以利用这个漏洞导致拒绝服务或执行任意代码。dissect_ospf_v3_address_prefix()函数中没有执行边界检查。该函数可能将用户输入的二进制数据转换成可读字符串,但没有对输入数据执行长度检查便使用栈中固定长度的缓冲区来存储所创建的字符串。如果生成的输入长度超过了缓冲区大小,便可能出现堆溢出。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:ethereal_group:ethereal:0.10.8
cpe:/a:ethereal_group:ethereal:0.9.8
cpe:/a:ethereal_group:ethereal:0.9.11
cpe:/a:ethereal_group:ethereal:0.10.9
cpe:/a:ethereal_group:ethereal:0.7.7
cpe:/a:ethereal_group:ethereal:0.9
cpe:/a:ethereal_group:ethereal:0.9.16
cpe:/a:ethereal_group:ethereal:0.9.2
cpe:/a:ethereal_group:ethereal:0.9.4
cpe:/a:ethereal_group:ethereal:0.9.5
cpe:/a:ethereal_group:ethereal:0.10.10
cpe:/a:ethereal_group:ethereal:0.8.14
cpe:/a:ethereal_group:ethereal:0.8.5
cpe:/a:ethereal_group:ethereal:0.10.11
cpe:/a:ethereal_group:ethereal:0.10.1
cpe:/a:ethereal_group:ethereal:0.9.12
cpe:/a:ethereal_group:ethereal:0.10.7
cpe:/a:ethereal_group:ethereal:0.10.2
cpe:/a:ethereal_group:ethereal:0.8
cpe:/a:ethereal_group:ethereal:0.10.13
cpe:/a:ethereal_group:ethereal:0.9.15
cpe:/a:ethereal_group:ethereal:0.9.3
cpe:/a:ethereal_group:ethereal:0.10.4
cpe:/a:ethereal_group:ethereal:0.8.15
cpe:/a:ethereal_group:ethereal:0.10.5
cpe:/a:ethereal_group:ethereal:0.10.12
cpe:/a:ethereal_group:ethereal:0.10.3
cpe:/a:ethereal_group:ethereal:0.9.7
cpe:/a:ethereal_group:ethereal:0.9.9
cpe:/a:ethereal_group:ethereal:0.9.14
cpe:/a:ethereal_group:ethereal:0.9.10
cpe:/a:ethereal_group:ethereal:0.10.6
cpe:/a:ethereal_group:ethereal:0.9.13
cpe:/a:ethereal_group:ethereal:0.8.18
cpe:/a:ethereal_group:ethereal:0.8.13
cpe:/a:ethereal_group:ethereal:0.9.1
cpe:/a:ethereal_group:ethereal:0.8.19
cpe:/a:ethereal_group:ethereal:0.9.6
cpe:/a:ethereal_group:ethereal:0.10

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:11286Stack-based buffer overflow in the dissect_ospf_v3_address_prefix function in the OSPF protocol dissector in Ethereal 0.10.12, and possibly ...
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3651
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-3651
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200512-198
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/15794
(PATCH)  BID  15794
http://www.idefense.com/application/poi/display?id=349&type=vulnerabilities
(VENDOR_ADVISORY)  IDEFENSE  20051209 Ethereal OSPF Protocol Dissector Buffer Overflow Vulnerability
http://www.vupen.com/english/advisories/2005/2830
(UNKNOWN)  VUPEN  ADV-2005-2830
http://anonsvn.ethereal.com/viewcvs/viewcvs.py/trunk/epan/dissectors/packet-ospf.c
(UNKNOWN)  MISC  http://anonsvn.ethereal.com/viewcvs/viewcvs.py/trunk/epan/dissectors/packet-ospf.c
http://www.redhat.com/support/errata/RHSA-2006-0156.html
(UNKNOWN)  REDHAT  RHSA-2006:0156
http://www.mandriva.com/security/advisories?name=MDKSA-2006:002
(UNKNOWN)  MANDRIVA  MDKSA-2006:002
http://www.mandriva.com/security/advisories?name=MDKSA-2005:227
(UNKNOWN)  MANDRIVA  MDKSA-2005:227
http://www.gentoo.org/security/en/glsa/glsa-200512-06.xml
(UNKNOWN)  GENTOO  GLSA-200512-06
http://www.ethereal.com/appnotes/enpa-sa-00022.html
(UNKNOWN)  CONFIRM  http://www.ethereal.com/appnotes/enpa-sa-00022.html
http://www.debian.org/security/2005/dsa-920
(UNKNOWN)  DEBIAN  DSA-920
http://securitytracker.com/id?1015337
(UNKNOWN)  SECTRACK  1015337
http://securityreason.com/securityalert/247
(UNKNOWN)  SREASON  247
http://secunia.com/advisories/19230
(UNKNOWN)  SECUNIA  19230
http://secunia.com/advisories/19012
(UNKNOWN)  SECUNIA  19012
http://secunia.com/advisories/18911
(UNKNOWN)  SECUNIA  18911
http://secunia.com/advisories/18426
(UNKNOWN)  SECUNIA  18426
http://secunia.com/advisories/18331
(UNKNOWN)  SECUNIA  18331
http://secunia.com/advisories/18062
(UNKNOWN)  SECUNIA  18062
http://secunia.com/advisories/18012
(UNKNOWN)  SECUNIA  18012
http://secunia.com/advisories/17973
(UNKNOWN)  SECUNIA  17973
http://lists.suse.de/archive/suse-security-announce/2006-Feb/0008.html
(UNKNOWN)  SUSE  SUSE-SR:2006:004
ftp://patches.sgi.com/support/free/security/advisories/20060201-01-U
(UNKNOWN)  SGI  20060201-01-U

- 漏洞信息

Ethereal OSPF协议处理单元栈溢出漏洞
高危 缓冲区溢出
2005-12-10 00:00:00 2005-12-12 00:00:00
远程  
        Ethereal是一款开放源码的网络协议分析工具。
        Ethereal用于分析OSPF协议的组件中存在栈溢出漏洞,远程攻击者可以利用这个漏洞导致拒绝服务或执行任意代码。dissect_ospf_v3_address_prefix()函数中没有执行边界检查。该函数可能将用户输入的二进制数据转换成可读字符串,但没有对输入数据执行长度检查便使用栈中固定长度的缓冲区来存储所创建的字符串。如果生成的输入长度超过了缓冲区大小,便可能出现堆溢出。
        

- 公告与补丁

        目前厂商已经发布了升级补丁以修复此安全问题,补丁获取链接:
        http://security.debian.org/pool/updates/main/e/ethereal/

- 漏洞信息 (F42262)

iDEFENSE Security Advisory 2005-12-09.t (PacketStormID:F42262)
2005-12-14 00:00:00
iDefense Labs  idefense.com
advisory,remote,arbitrary,protocol
linux,redhat,fedora
CVE-2005-3651
[点击下载]

iDEFENSE Security Advisory 12.09.05 - Remote exploitation of an input validation vulnerability in the OSPF protocol dissectors within Ethereal, as included in various vendors operating system distributions, could allow attackers to crash the vulnerable process or potentially execute arbitrary code. iDefense has confirmed the existence of this vulnerability in the ethereal-0.10.12 RPM from Red Hat Fedora Core 3. It is suspected that previous versions containing the OSPF dissector code are also vulnerable.

Ethereal OSPF Protocol Dissector Buffer Overflow Vulnerability

iDefense Security Advisory 12.09.05
www.idefense.com/application/poi/display?id=349&type=vulnerabilities
December 9, 2005

I. BACKGROUND

Ethereal is a full featured open source network protocol analyzer.

For more information, see http://www.ethereal.com/

II. DESCRIPTION

Remote exploitation of an input validation vulnerability in the OSPF
protocol dissectors within Ethereal, as included in various vendors
operating system distributions, could allow attackers to crash the
vulnerable process or potentially execute arbitrary code.

The affected Ethereal component is used to analyse Open Shortest Path
First (OSPF) Interior Gateway Protocol (IGP), as specified in RFC-2178.

The vulnerability specifically exists due to no bounds checking being
performed in the dissect_ospf_v3_address_prefix() function. This
function takes user-supplied binary data and attempts to convert it into
a human readable string. This function uses a fixed length buffer on
the stack to store the constructed string but performs no checks on the
length of the input. If the generated output length from the input
exceeds the size of the buffer, a stack-based overflow occurs.

III. ANALYSIS

Successful exploitation allows remote attackers to perform a DoS against
a running instance of Ethereal and may, under certain conditions,
potentially allow the execution of arbitrary code. As the overflow
string is generated from a format string converting binary values into
their hexadecimal (base 16) equivalent characters, it can contain only a
limited subset of all possible characters, and the length of an
overflow is only able to be controlled to within the three characters.
This may prevent exploit ability on some platforms; however, it may be
possible that these constraints will not prevent exploitation on
others.

IV. DETECTION

iDefense has confirmed the existence of this vulnerability in the
ethereal-0.10.12 RPM from Red Hat Fedora Core 3. It is suspected that
previous versions containing the OSPF dissector code are also
vulnerable.

V. WORKAROUND

Disable the OSPF packet dissector in Ethereal by performing the
following actions as the user invoking Ethereal, typically root.

Create the .ethereal directory:

 # mkdir ~/.ethereal

You can safely ignore the following error:

 mkdir: cannot create directory '/root/.ethereal': File exists

Add the OSPF dissector to the list of protocols to ignore.

 # echo ospf >> ~/.ethereal/disabled_protos

This workaround will prevent Ethereal from parsing the contents of OSPF
packets, which prevents exposure to the vulnerability.

VI. VENDOR RESPONSE

A source patch is available from the main ethereal SVN Repository:

http://anonsvn.ethereal.com/viewcvs/viewcvs.py/trunk/epan/dissectors/
 packet-ospf.c?rev=16507&view=markup

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2005-3651 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

11/14/2005 Initial vendor notification
11/14/2005 Initial vendor response
12/09/2005 Public disclosure

IX. CREDIT

The discoverer of this vulnerability wishes to remain anonymous.

Get paid for vulnerability research
http://www.iDefense.com/poi/teams/vcp.jsp

Free tools, research and upcoming events
http://labs.iDefense.com

X. LEGAL NOTICES

Copyright     

- 漏洞信息

21599
Ethereal OSPF Protocol Dissector dissect_ospf_v3_address_prefix() Function Overflow
Remote / Network Access Input Manipulation
Loss of Integrity Patch / RCS
Exploit Private Vendor Verified, Coordinated Disclosure

- 漏洞描述

- 时间线

2005-12-09 2005-11-14
Unknow 2005-12-09

- 解决方案

Upgrade to version 0.10.13 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Ethereal OSPF Protocol Dissection Stack Buffer Overflow Vulnerability
Boundary Condition Error 15794
Yes No
2005-12-09 12:00:00 2006-12-20 10:37:00
The original discoverer of this issue wishes to remain anonymous. iDEFENSE reported this issue to the vendor.

- 受影响的程序版本

SuSE SUSE Linux Enterprise Server 8
+ Linux kernel 2.4.21
+ Linux kernel 2.4.19
SGI ProPack 3.0 SP6
S.u.S.E. UnitedLinux 1.0
S.u.S.E. SuSE Linux Standard Server 8.0
S.u.S.E. SuSE Linux School Server for i386
S.u.S.E. SUSE LINUX Retail Solution 8.0
S.u.S.E. SuSE Linux Openexchange Server 4.0
S.u.S.E. Open-Enterprise-Server 9.0
S.u.S.E. Office Server
S.u.S.E. Novell Linux Desktop 9.0
S.u.S.E. Linux Professional 10.0 OSS
S.u.S.E. Linux Professional 10.0
S.u.S.E. Linux Professional 9.3 x86_64
S.u.S.E. Linux Professional 9.3
S.u.S.E. Linux Professional 9.2 x86_64
S.u.S.E. Linux Professional 9.2
S.u.S.E. Linux Professional 9.1 x86_64
S.u.S.E. Linux Professional 9.1
S.u.S.E. Linux Professional 9.0 x86_64
S.u.S.E. Linux Professional 9.0
S.u.S.E. Linux Professional 8.2
S.u.S.E. Linux Personal 10.0 OSS
S.u.S.E. Linux Personal 9.3 x86_64
S.u.S.E. Linux Personal 9.3
S.u.S.E. Linux Personal 9.2 x86_64
S.u.S.E. Linux Personal 9.2
S.u.S.E. Linux Personal 9.1 x86_64
S.u.S.E. Linux Personal 9.1
S.u.S.E. Linux Personal 9.0 x86_64
S.u.S.E. Linux Personal 9.0
S.u.S.E. Linux Personal 8.2
S.u.S.E. Linux Openexchange Server
S.u.S.E. Linux Office Server
S.u.S.E. Linux Enterprise Server for S/390 9.0
S.u.S.E. Linux Enterprise Server for S/390
S.u.S.E. Linux Enterprise Server 9
S.u.S.E. Linux Desktop 1.0
S.u.S.E. Linux Database Server 0
S.u.S.E. Linux Connectivity Server
RedHat Linux Advanced Work Station 2.1
RedHat Enterprise Linux WS 4
RedHat Enterprise Linux WS 3
RedHat Enterprise Linux WS 2.1 IA64
RedHat Enterprise Linux WS 2.1
RedHat Enterprise Linux ES 4
RedHat Enterprise Linux ES 3
RedHat Enterprise Linux ES 2.1 IA64
RedHat Enterprise Linux ES 2.1
RedHat Desktop 4.0
RedHat Desktop 3.0
RedHat Advanced Workstation for the Itanium Processor 2.1 IA64
RedHat Advanced Workstation for the Itanium Processor 2.1
Red Hat Fedora Core4
Red Hat Fedora Core3
Red Hat Enterprise Linux AS 4
Red Hat Enterprise Linux AS 3
Red Hat Enterprise Linux AS 2.1 IA64
Red Hat Enterprise Linux AS 2.1
Mandriva Linux Mandrake 2006.0 x86_64
Mandriva Linux Mandrake 2006.0
Mandriva Linux Mandrake 10.2 x86_64
Mandriva Linux Mandrake 10.2
Gentoo Linux
Ethereal Group Ethereal 0.10.13
Ethereal Group Ethereal 0.10.12
Ethereal Group Ethereal 0.10.11
Ethereal Group Ethereal 0.10.9
+ Gentoo Linux
Ethereal Group Ethereal 0.10.8
Ethereal Group Ethereal 0.10.7
Ethereal Group Ethereal 0.10.6
+ Mandriva Linux Mandrake 10.1 x86_64
+ Mandriva Linux Mandrake 10.1
Ethereal Group Ethereal 0.10.5
Ethereal Group Ethereal 0.10.4
Ethereal Group Ethereal 0.10.3
+ Mandriva Linux Mandrake 10.0 AMD64
+ Mandriva Linux Mandrake 10.0
+ Red Hat Fedora Core2
+ Red Hat Fedora Core1
+ S.u.S.E. Linux Personal 9.2
+ S.u.S.E. Linux Personal 9.1
+ S.u.S.E. Linux Personal 9.0
Ethereal Group Ethereal 0.10.2
Ethereal Group Ethereal 0.10.1
Ethereal Group Ethereal 0.10 .10
+ Debian Linux 3.1 sparc
+ Debian Linux 3.1 s/390
+ Debian Linux 3.1 ppc
+ Debian Linux 3.1 mipsel
+ Debian Linux 3.1 mips
+ Debian Linux 3.1 m68k
+ Debian Linux 3.1 ia-64
+ Debian Linux 3.1 ia-32
+ Debian Linux 3.1 hppa
+ Debian Linux 3.1 arm
+ Debian Linux 3.1 amd64
+ Debian Linux 3.1 alpha
+ Debian Linux 3.1
+ Mandriva Linux Mandrake 10.2 x86_64
+ Mandriva Linux Mandrake 10.2
+ Mandriva Linux Mandrake 10.1 x86_64
+ Mandriva Linux Mandrake 10.1
Ethereal Group Ethereal 0.10
Ethereal Group Ethereal 0.9.16
+ Mandriva Linux Mandrake 9.2 amd64
+ Mandriva Linux Mandrake 9.2
Ethereal Group Ethereal 0.9.15
Ethereal Group Ethereal 0.9.14
Ethereal Group Ethereal 0.9.13
+ Mandriva Linux Mandrake 9.1 ppc
+ Mandriva Linux Mandrake 9.1
+ Red Hat Fedora Core1
Ethereal Group Ethereal 0.9.12
Ethereal Group Ethereal 0.9.11
Ethereal Group Ethereal 0.9.10
Ethereal Group Ethereal 0.9.9
+ Mandriva Linux Mandrake 9.1 ppc
+ Mandriva Linux Mandrake 9.1
Ethereal Group Ethereal 0.9.8
Ethereal Group Ethereal 0.9.7
Ethereal Group Ethereal 0.9.6
Ethereal Group Ethereal 0.9.5
Ethereal Group Ethereal 0.9.4
+ Conectiva Linux 8.0
+ Conectiva Linux 7.0
+ Conectiva Linux 6.0
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
Ethereal Group Ethereal 0.9.3
Ethereal Group Ethereal 0.9.2
Ethereal Group Ethereal 0.9.1
- Compaq Tru64 5.0
- Debian Linux 2.2 sparc
- Debian Linux 2.2 powerpc
- Debian Linux 2.2 IA-32
- Debian Linux 2.2 arm
- Debian Linux 2.2 alpha
- Debian Linux 2.2 68k
- HP HP-UX 11.0
- IBM AIX 5.1
- Linux kernel 2.4
- Microsoft Windows 2000 Professional
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows 98SE
- Microsoft Windows ME
- Microsoft Windows NT Workstation 4.0
- NetBSD NetBSD 1.5
- OpenBSD OpenSSH 3.0
- SCO Unixware 7.0
- SGI IRIX 6.0
- Sun Solaris 8_sparc
Ethereal Group Ethereal 0.9
Ethereal Group Ethereal 0.8.19
Ethereal Group Ethereal 0.8.18
- RedHat Linux 7.2 ia64
- RedHat Linux 7.2 i386
- RedHat Linux 7.2
Ethereal Group Ethereal 0.8.15
Ethereal Group Ethereal 0.8.14
Ethereal Group Ethereal 0.8.13
Ethereal Group Ethereal 0.8.5
Ethereal Group Ethereal 0.8
Ethereal Group Ethereal 0.7.7
Avaya S8710 R2.0.1
Avaya S8710 R2.0.0
Avaya S8700 R2.0.1
Avaya S8700 R2.0.0
Avaya S8500 R2.0.1
Avaya S8500 R2.0.0
Avaya S8300 R2.0.1
Avaya S8300 R2.0.0
Avaya Converged Communications Server 2.0
Avaya Aura SIP Enablement Services 3.0
Ethereal Group Ethereal 0.10.14
Ethereal Group Ethereal 0.10.13

- 不受影响的程序版本

Ethereal Group Ethereal 0.10.14
Ethereal Group Ethereal 0.10.13

- 漏洞讨论

A remote buffer-overflow vulnerability affects Ethereal. This issue is due to the application's failure to securely copy network-derived data into sensitive process buffers. The specific issue occurs in the OSPF dissector.

An attacker may exploit this issue to execute arbitrary code with the privileges of the user that activated the vulnerable application. This may facilitate unauthorized access or privilege escalation.

- 漏洞利用


Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com

- 解决方案


Please see the referenced vendor advisories for information and fixes.


Ethereal Group Ethereal 0.10 .10

Ethereal Group Ethereal 0.10

Ethereal Group Ethereal 0.10.1

Ethereal Group Ethereal 0.10.11

Ethereal Group Ethereal 0.10.13

Ethereal Group Ethereal 0.10.2

Ethereal Group Ethereal 0.10.3

Ethereal Group Ethereal 0.10.4

Ethereal Group Ethereal 0.10.5

Ethereal Group Ethereal 0.10.6

Ethereal Group Ethereal 0.10.7

Ethereal Group Ethereal 0.10.8

Ethereal Group Ethereal 0.10.9

Ethereal Group Ethereal 0.8.13

Ethereal Group Ethereal 0.8.15

Ethereal Group Ethereal 0.8.18

Ethereal Group Ethereal 0.8.5

Ethereal Group Ethereal 0.9

Ethereal Group Ethereal 0.9.1

Ethereal Group Ethereal 0.9.11

Ethereal Group Ethereal 0.9.12

Ethereal Group Ethereal 0.9.13

Ethereal Group Ethereal 0.9.15

Ethereal Group Ethereal 0.9.16

Ethereal Group Ethereal 0.9.4

Ethereal Group Ethereal 0.9.5

Ethereal Group Ethereal 0.9.7

Ethereal Group Ethereal 0.9.9

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站