Wireshark · Ethereal-dev: [Ethereal-dev] ethereal radius dissector vulnerability

Ethereal-dev: [Ethereal-dev] ethereal radius dissector vulnerability

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Jonathan Heusser <jonny@xxxxxxxxxxxx>

Date: Thu, 18 Mar 2004 14:26:19 +0100

Hello,

during an audit I found a vulnerability in the radius dissector ofethereal version 0.10.2

(and probably prior to aswell).

This bug allows a remote attacker to cause at least a denial of serviceattack. The execution of

arbitrary code could be possible..

The problem is located in the function dissect_attribute_value_pairs ofpacket-radius.c:

If you manage to create a packet which causes the find_radius_attr_infocall on line 2600 to return NULL,and at the same time having avph.avp_length set to 2, then ethereal willfail whilecalling proto_tree_add_text on line 2608. More precisely while accessingattr_info->str.


...
(2600)    attr_info = find_radius_attr_info(avph.avp_type, radius_attrib);
             if (avph.avp_length < 2) {
                  if (tree) {
(2608)            proto_tree_add_text(tree, tvb, offset, avph.avp_length,
                        "t:%s(%u) l:%u (length not >= 2)",
                        attr_info->str, avph.avp_type, avph.avp_length);
                  }
...

A possible fix for this would be to bail out when find_radius_attr_inforeturns NULL, though this might

not be the best solution.

Thank you,
Jonathan Heusser

--
Key fingerprint = 2A55 EB7C B7EA 6336 7767  4A47 910A 307B 1333 BD6C

Follow-Ups:
- Re: [Ethereal-dev] ethereal radius dissector vulnerability
  - From: Gerald Combs

Prev by Date: [Ethereal-dev] libethereal shared lib TODOs
Next by Date: Re: [Ethereal-dev] Display filter working
Previous by thread: [Ethereal-dev] libethereal shared lib TODOs
Next by thread: Re: [Ethereal-dev] ethereal radius dissector vulnerability
Index(es):
- Date
- Thread