Abc de la sécurité informatique

Une nouvelle version d'Ethereal (v. 0.9.11) est disponible sur le site officiel.
Ethereal 0.9.11 bouche les failles de sécurité découvertes et publiées par Georgi Guninski.
Beaucoup de mises à jour mineures ont été apportées.
Comme toujours, de nouveaux protocoles sont supportés (MSN Messenger, Rsync, SSH, Yahoo! Messenger), beaucoup de protocoles déjà reconnus ont été mis à jour et Ethereal supporte maintenant le format de capture des analyseurs réseau NetXRay, NGSniffer et Snoop .
Tous les utilisateurs sont invités à mettre à jour leur version (surtout la Ethereal 0.9.10 qui est bugguée)
Page d'accueil du site officiel: Ethereal.com
Téléchargement (multi OS): Ethereal - Download

Georgi Guninski security advisory #60, 2003

Ethereal format string bug, yet still ethereal much better than windows

Systems affected:
Ethereal < 0.9.10
Fixed in 0.9.10


Risk: Medium
Date: 8 March 2003

Legal Notice:
This Advisory is Copyright (c) 2003 Georgi Guninski.
You may distribute it unmodified.
You may not modify it and distribute it or distribute parts
of it without the author's written permission - this especially applies to
so called "vulnerabilities databases" and securityfocus, microsoft, cert
and mitre.
If you want to link to this content use the URL:
http://www.guninski.com/etherre.html
Anything in this document may change without notice.

Disclaimer:
The information in this advisory is believed to be true though
it may be false.
The opinions expressed in this advisory and program are my own and
not of any company. The usual standard disclaimer applies,
especially the fact that Georgi Guninski is not liable for any damages
caused by direct or indirect use of the information or functionality
provided by this advisory or program. Georgi Guninski bears no
responsibility for content or misuse of this advisory or program or
any derivatives thereof.

Description:
Ethereal is a sniffer. According to www.ethereal.com its purpose is:
"Sniffing the glue that holds the Internet together"
There is format string bug in it which is confirmed to be a DoS and
probably can lead to execution of code (the difficulty comes from the fact
that some characters are escaped)

Details:
The problem seems to be in: "packet-socks.c" line 910 of 1180
-----
proto_tree_add_text( tree, tvb, offset, linelen,
format_text(data, linelen));
------
The format mask is missing.
How to reproduce on localhost:

start raw3sv.pl (dummy socks server, attached)
start ethereal on loopback, update packets in real time.
start sockcl.pl (attached, does socks ping, without argument connects to
localhost)
wait about 5 seconds.
go to ethereal and select the line "Sock5.....Ping Req Results"
result: SEGV.

---raw3sv.pl----

----------------

----sockcl.pl------------
----------------


Workaround/Solution:
Upgrade to 0.9.10 or apply the following patch:
------------------
--- packet-socks.c.orig 2002-08-29 03:40:03.000000000 +0300
+++ packet-socks.c 2003-02-25 15:52:14.000000000 +0200
@@ -908,7 +908,7 @@
linelen = lineend - data;

proto_tree_add_text( tree, tvb, offset, linelen,
- format_text(data, linelen));
+ "%s",format_text(data, linelen));
offset += linelen;
data = lineend;
}
------------------

Vendor status:
Notified on Tue, 25 Feb 2003
http://www.ethereal.com/appnotes/enpa-sa-00008.html


btw, happy 8 March to the women.

Regards,
Georgi Guninski
http://www.guninski.com