[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ethereal-dev
Subject:    [Ethereal-dev] ethereal radius dissector vulnerability
From:       Jonathan Heusser <jonny () drugphish ! ch>
Date:       2004-03-18 13:26:19
Message-ID: 4059A37B.9050409 () drugphish ! ch
[Download RAW message or body]

Hello,

during an audit I found a vulnerability in the radius dissector of 
ethereal version 0.10.2
(and probably prior to aswell).
This bug allows a remote attacker to cause at least a denial of service 
attack. The execution of
arbitrary code could be possible..


The problem is located in the function dissect_attribute_value_pairs of 
packet-radius.c:

If you manage to create a packet which causes the find_radius_attr_info 
call on line 2600 to return NULL,
and at the same time having avph.avp_length set to 2, then ethereal will 
fail while
calling proto_tree_add_text on line 2608. More precisely while accessing 
attr_info->str.

...
(2600)    attr_info = find_radius_attr_info(avph.avp_type, radius_attrib);
              if (avph.avp_length < 2) {
                   if (tree) {
(2608)            proto_tree_add_text(tree, tvb, offset, avph.avp_length,
                         "t:%s(%u) l:%u (length not >= 2)",
                         attr_info->str, avph.avp_type, avph.avp_length);
                   }
...

A possible fix for this would be to bail out when find_radius_attr_info 
returns NULL, though this might
not be the best solution.

Thank you,
Jonathan Heusser

-- 
Key fingerprint = 2A55 EB7C B7EA 6336 7767  4A47 910A 307B 1333 BD6C

_______________________________________________
Ethereal-dev mailing list
Ethereal-dev@ethereal.com
http://www.ethereal.com/mailman/listinfo/ethereal-dev
[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic