Ethereal

enpa-sa-00001
Google
 
Web Ethereal.com

Home | Introduction | Documentation | Lists | FAQ | Development | Wiki | Bugs

Application Notes | Summary | Details

Summary

Name: SNMP and LDAP string handling

Docid: enpa-sa-00001

Date: March 23, 2002

Versions affected: 0.9.1 and prior, 0.9.2 when compiled with SNMP

Severity: High

Details

Description:

The PROTOS test suite developed by the Oulu University Secure Programming Group revealed the following problems:

  1. Due to improper string and error handling in Ethereal's ASN.1 parser, it is possible for a malformed SNMP or LDAP packet to cause a memory allocation or buffer overrun error in Ethereal.

    The COPS and Kerberos dissectors also utilize the ASN.1 parser. It is possible that they are subject to this vulnerability, but the matter has not been investigated.

  2. If Ethereal has been linked with the CMU or UCD SNMP libraries a malformed packet could cause a buffer overrun error. Versions of UCD SNMP up to and including 4.2.3 and likely all CMU SNMP versions are affected.

Ethereal versions 0.9.1 and prior are linked with either UCD or CMU SNMP at compile time by default. In order to determine if your version of Ethereal is linked with either library, do one of the following:

Either action will display the the application version along with the libraries that Ethereal and Tethereal are linked against. If the versionis "0.9.1" or prior, or "with SNMP" is displayed, the application is vulnerable.

Impact:

It may be possible to run arbitrary code in Ethereal by injecting a purposefully malformed packet onto the wire, or by convincing someone to read a malformed packet trace file.

Additionally, affected versions of Ethereal will crash while dissecting various malformed SNMP and LDAP packets, including those generated by the PROTOS suite.

Resolution:

Upgrade to 0.9.2 or later. If you are compiling Ethereal by hand, do not configure with "--enable-snmp" unless you have UCD SNMP 4.2.4 or a later 4.x release, or NET-SNMP 5.0.1 or a later 5.x release. (Note that if Ethereal is dynamically linked with the SNMP library, it is vulnerable if the machine on which it is running has an earlier version, so even if you have 4.2.4 or later, or 5.0.1 or later installed on your machine, you may still not want to configure with "--enable-snmp".)

Please send support questions about Ethereal to the ethereal-users[AT]ethereal.com mailing list.
For corrections/additions/suggestions for this web page (and not Ethereal support questions), please send email to ethereal-web[AT]ethereal.com.
Last modified: Fri, November 10 2006.
"Ethereal" and the "e" logo are registered trademarks of Ethereal, Inc.