Name: Multiple problems in Ethereal versions 0.8.14 to 0.10.10

Docid: enpa-sa-00019

Date: May 4, 2005

Versions affected: 0.8.14 up to and including 0.10.10

Severity: High

Description:

An aggressive testing program as well as independent discovery has turned up a multitude of security issues:

• The ANSI A dissector was susceptible to format string vulnerabilities. Discovered by Bryan Fulton. Versions affected: 0.9.15 to 0.10.10
  
• The GSM MAP dissector could crash. Versions affected: 0.10.0 to 0.10.10
  
• The AIM dissector could cause a crash. Versions affected: 0.9.14 to 0.10.10
  
• The DISTCC dissector was susceptible to a buffer overflow. Discovered by Ilja van Sprundel Versions affected: 0.9.13 to 0.10.10
  
• The FCELS dissector was susceptible to a buffer overflow. Discovered by Neil Kettle Versions affected: 0.9.9 to 0.10.10
  
• The SIP dissector was susceptible to a buffer overflow. Discovered by Ejovi Nuwere. Versions affected: 0.10.0 to 0.10.10
  
• The KINK dissector was susceptible to a null pointer exception, endless looping, and other problems. Versions affected: 0.10.10
  
• The LMP dissector was susceptible to an endless loop. Versions affected: 0.9.4 to 0.10.10
  
• The Telnet dissector could abort. Versions affected: 0.9.10 to 0.10.10
  
• The TZSP dissector could cause a segmentation fault. Versions affected: 0.10.10 to 0.10.10
  
• The WSP dissector was susceptible to a null pointer exception and assertions. Versions affected: 0.10.0 to 0.10.10
  
• The 802.3 Slow protocols dissector could throw an assertion. Versions affected: 0.10.10
  
• The BER dissector could throw assertions. Versions affected: 0.10.2 to 0.10.10
  
• The SMB Mailslot dissector was susceptible to a null pointer exception and could throw assertions. Versions affected: 0.9.0 to 0.10.10
  
• The H.245 dissector was susceptible to a null pointer exception. Versions affected: 0.10.10
  
• The Bittorrent dissector could cause a segmentation fault. Versions affected: 0.10.8 to 0.10.10
  
• The SMB dissector could cause a segmentation fault and throw assertions. Versions affected: 0.9.0 to 0.10.10
  
• The Fibre Channel dissector could cause a crash. Versions affected: 0.9.9 to 0.10.10
  
• The DICOM dissector could attempt to allocate large amounts of memory. Versions affected: 0.10.4 to 0.10.10
  
• The MGCP dissector was susceptible to a null pointer exception, could loop indefinitely, and segfault. Versions affected: 0.8.14 to 0.10.10
  
• The RSVP dissector could loop indefinitely. Versions affected: 0.9.8 to 0.10.10
  
• The DHCP dissector was susceptible to format string vulnerabilities, and could abort. Versions affected: 0.10.7 to 0.10.10
  
• The SRVLOC dissector could crash unexpectedly or go into an infinite loop. Versions affected: 0.9.8 to 0.10.10
  
• The EIGRP dissector could loop indefinitely. Versions affected: 0.8.18 to 0.10.10
  
• The ISIS dissector could overflow a buffer. Versions affected: 0.8.18 to 0.10.10
  
• The CMIP, CMP, CMS, CRMF, ESS, OCSP, PKIX1Explitit, PKIX Qualified, and X.509 dissectors could overflow buffers. Versions affected: 0.10.4 to 0.10.10
  
• The NDPS dissector could exhaust system memory or cause an assertion, or crash. Versions affected: 0.9.12 to 0.10.10
  
• The Q.931 dissector could try to free a null pointer and overflow a buffer. Versions affected: 0.10.10
  
• The IAX2 dissector could throw an assertion. Versions affected: 0.10.1 to 0.10.10
  
• The ICEP dissector could try to free the same memory twice. Versions affected: 0.10.7 to 0.10.10
  
• The MEGACO dissector was susceptible to an infinite loop and a buffer overflow. Versions affected: 0.9.14 to 0.10.10
  
• The DLSw dissector was susceptible to an infinite loop. Versions affected: 0.9.1 to 0.10.10
  
• The RPC dissector was susceptible to a null pointer exception. Versions affected: 0.9.2 to 0.10.10
  
• The NCP dissector could overflow a buffer or loop for a large amount of time. Versions affected: 0.10.5 to 0.10.10
  
• The RADIUS dissector could throw an assertion. Versions affected: 0.10.3 to 0.10.10
  
• The GSM dissector could access an invalid pointer. Versions affected: 0.10.10
  
• The SMB PIPE dissector could throw an assertion. Versions affected: 0.9.0 to 0.10.10
  
• The L2TP dissector was susceptible to an infinite loop. Versions affected: 0.10.9 to 0.10.10
  
• The SMB NETLOGON dissector could dereference a null pointer. Versions affected: 0.9.12 to 0.10.10
  
• The MRDISC dissector could throw an assertion. Versions affected: 0.8.19 to 0.10.10
  
• The ISUP dissector could overflow a buffer or cause a segmentation fault. Versions affected: 0.8.19 to 0.10.10
  
• The LDAP dissector could crash. Versions affected: 0.10.1 to 0.10.10
  
• The TCAP dissector could overflow a buffer or throw an assertion. Versions affected: 0.10.8 to 0.10.10
  
• The NTLMSSP dissector could crash. Versions affected: 0.9.7 to 0.10.10
  
• The Presentation dissector could overflow a buffer. Versions affected: 0.10.1 to 0.10.10
  
• Additionally, a number of dissectors could throw an assertion when passing an invalid protocol tree item length. Versions affected: 0.10.8 to 0.10.10
  

Impact:

It may be possible to make Ethereal crash, use up available memory, or run arbitrary code by injecting a purposefully malformed packet onto the wire or by convincing someone to read a malformed packet trace file.

Resolution:

Upgrade to 0.10.11. Due to the severity and scope of the defects that have been discovered, no workaround is available.