Name: Several security problems in Ethereal 0.9.12

Docid: enpa-sa-00010

Date: June 11, 2003

Versions affected: unknown up to 0.9.12

Severity: High

Description:

Further source code auditing by Timo Sirainen has turned up several string handling flaws in various protocol dissectors. Separate security problems were discovered by other people:

• The DCERPC dissector could try to allocate too much memory while trying to decode an NDR string.
• Bad IPv4 or IPv6 prefix lengths could cause an overflow in the OSI dissector.
• The SPNEGO dissector could segfault while parsing an invalid ASN.1 value.
• The tvb_get_nstringz0() routine incorrectly handled a zero-length buffer size.
• The BGP, WTP, DNS, 802.11, ISAKMP, WSP, CLNP, ISIS, and RMI dissectors handled strings improperly.

Impact:

It may be possible to make Ethereal crash or run arbitrary code by injecting a purposefully malformed packet onto the wire, or by convincing someone to read a malformed packet trace file.

Resolution:

Upgrade to 0.9.13.