https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5375
Summary: Buffer overflow when handling SNMP users preferences
Product: Wireshark
Version: unspecified
Platform: Other
OS/Version: All
Status: NEW
Severity: Minor
Priority: Low
Component: Wireshark
AssignedTo: wireshark-bugs@xxxxxxxxxxxxx
ReportedBy: d0c.s4vage@xxxxxxxxx
Build Information:
Version 1.4.1 (SVN Rev 34476 from /trunk-1.4)
Copyright 1998-2010 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled with GTK+ 2.16.6, (32-bit) with GLib 2.22.4, with WinPcap (version
unknown), with libz 1.2.3, without POSIX capabilities, without libpcre, with
SMI
0.4.8, with c-ares 1.7.1, with Lua 5.1, without Python, with GnuTLS 2.8.5, with
Gcrypt 1.4.5, with MIT Kerberos, with GeoIP, with PortAudio V19-devel (built
Oct
11 2010), with AirPcap.
Running on Windows XP Service Pack 3, build 2600, with WinPcap version 4.1.2
(packet.dll version 4.1.0.2001), based on libpcap version 1.0 branch 1_0_rel0b
(20091008), GnuTLS 2.8.5, Gcrypt 1.4.5, without AirPcap.
Built using Microsoft Visual C++ 9.0 build 30729
Wireshark is Open Source Software released under the GNU General Public
License.
Check the man page and http://www.wireshark.org for more information.
--
In epan/dissectors/packet-snmp.c in the snmp_usm_password_to_key_sha1 function,
a stack-based buffer can be overflowed. The function is:
3057 /*
3058 SHA1 Password to Key Algorithm COPIED from RFC 3414 A.2.2
3059 */
3060
3061 static void
3062 snmp_usm_password_to_key_sha1(const guint8 *password, guint passwordlen,
3063 const guint8 *engineID, guint engineLength,
3064 guint8 *key)
3065 {
3066 sha1_context SH;
3067 guint8 *cp, password_buf[72];
3068 guint32 password_index = 0;
3069 guint32 count = 0, i;
3070
3071 sha1_starts(&SH); /* initialize SHA */
3072
3073 /**********************************************/
3074 /* Use while loop until we've done 1 Megabyte */
3075 /**********************************************/
3076 while (count < 1048576) {
3077 cp = password_buf;
3078 for (i = 0; i < 64; i++) {
3079 /*************************************************/
3080 /* Take the next octet of the password, wrapping */
3081 /* to the beginning of the password as necessary.*/
3082 /*************************************************/
3083 *cp++ = password[password_index++ % passwordlen];
3084 }
3085 sha1_update (&SH, password_buf, 64);
3086 count += 64;
3087 }
3088 sha1_finish(&SH, key);
3089
3090 /*****************************************************/
3091 /* Now localize the key with the engineID and pass */
3092 /* through SHA to produce final key */
3093 /* May want to ensure that engineLength <= 32, */
3094 /* otherwise need to use a buffer larger than 72 */
3095 /*****************************************************/
3096 memcpy(password_buf, key, 20);
3097 memcpy(password_buf+20, engineID, engineLength);
3098 memcpy(password_buf+20+engineLength, key, 20);
3099
3100 sha1_starts(&SH);
3101 sha1_update(&SH, password_buf, 40+engineLength);
3102 sha1_finish(&SH, key);
3103 return;
3104 }
If a sufficiently large engineID is passed to this function, the password_buf
buffer will be overflowed (line 3097). Also, the same function with the same
problem is present in asn1/snmp/packet-snmp-template.c (used by asn2wrs)
I marked this as having a minor severity, since it's not remotely exploitable-
--Nephi
--
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
