[prev in list] [next in list] [prev in thread] [next in thread]
List: ethereal-dev
Subject: [Ethereal-dev] ethereal radius dissector vulnerability
From: Jonathan Heusser <jonny () drugphish ! ch>
Date: 2004-03-18 13:26:19
Message-ID: 4059A37B.9050409 () drugphish ! ch
[Download RAW message or body]
Hello,
during an audit I found a vulnerability in the radius dissector of
ethereal version 0.10.2
(and probably prior to aswell).
This bug allows a remote attacker to cause at least a denial of service
attack. The execution of
arbitrary code could be possible..
The problem is located in the function dissect_attribute_value_pairs of
packet-radius.c:
If you manage to create a packet which causes the find_radius_attr_info
call on line 2600 to return NULL,
and at the same time having avph.avp_length set to 2, then ethereal will
fail while
calling proto_tree_add_text on line 2608. More precisely while accessing
attr_info->str.
...
(2600) attr_info = find_radius_attr_info(avph.avp_type, radius_attrib);
if (avph.avp_length < 2) {
if (tree) {
(2608) proto_tree_add_text(tree, tvb, offset, avph.avp_length,
"t:%s(%u) l:%u (length not >= 2)",
attr_info->str, avph.avp_type, avph.avp_length);
}
...
A possible fix for this would be to bail out when find_radius_attr_info
returns NULL, though this might
not be the best solution.
Thank you,
Jonathan Heusser
--
Key fingerprint = 2A55 EB7C B7EA 6336 7767 4A47 910A 307B 1333 BD6C
_______________________________________________
Ethereal-dev mailing list
Ethereal-dev@ethereal.com
http://www.ethereal.com/mailman/listinfo/ethereal-dev
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic