Ethereal

enpa-sa-00008
Google
 
Web Ethereal.com

Home | Introduction | Download | Documentation | Lists | FAQ | Development | Wiki | Bugs

Application Notes | Summary | Details

Summary

Name: SOCKS string format vulnerability in Ethereal 0.9.9

Docid: enpa-sa-00008

Date: March 7, 2003

Versions affected: 0.8.7 to 0.9.9

Severity: High

Details

Description:

The SOCKS dissector in Ethereal 0.9.9 is susceptible to a format string overflow. This vulnerability has been present in Ethereal since the SOCKS dissector was introduced in version 0.8.7. It was discovered by Georgi Guninski. Additionally, the NTLMSSP code is susceptible to a heap overflow. All users of Ethereal 0.9.9 and below are encouraged to upgrade. In order to determine which version of Ethereal you have installed, do one of the following:

Either action will display the the application version along with the libraries that Ethereal and Tethereal are linked with. If version "0.9.9" or prior is displayed, the application is susceptible. See also: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0081

Impact:

It may be possible to make Ethereal crash or run arbitrary code by injecting a purposefully malformed packet onto the wire, or by convincing someone to read a malformed packet trace file.

Resolution:

Upgrade to 0.9.10.

If you are running a version prior to 0.9.10 and you cannot upgrade, you can disable the SOCKS and NTLMSSP protocol dissectors by selecting Edit->Protocols... and deselecting them from the list.

Please send support questions about Ethereal to the ethereal-users[AT]ethereal.com mailing list.
For corrections/additions/suggestions for this web page (and not Ethereal support questions), please send email to ethereal-web[AT]ethereal.com .
Last modified: Thu, September 15 2005.