exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Rapid7 Security Advisory 17

Rapid7 Security Advisory 17
Posted Mar 30, 2004
Authored by Rapid7 | Site rapid7.com

Rapid7 Security Advisory - tcpdump versions 3.8.1 and below contain multiple flaws in the packet display functions for the ISAKMP protocol. Upon receiving specially crafted ISAKMP packets, tcpdump will try to read beyond the end of the packet capture buffer and crash.

tags | advisory, protocol
advisories | CVE-2004-0183, CVE-2004-0184
SHA-256 | bf610b65d6dfc6a1e758210dd11a41752fa7ae6f05f82c0910e413398c61725a

Rapid7 Security Advisory 17

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________
Rapid7, Inc. Security Advisory
Visit http://www.rapid7.com/ to download NeXpose,
the world's most advanced vulnerability scanner.
Linux and Windows 2000/XP versions are available now!
_______________________________________________________________________

Rapid7 Advisory R7-0017
TCPDUMP ISAKMP payload handling denial-of-service vulnerabilities

Published: March 30, 2004
Revision: 1.0
http://www.rapid7.com/advisories/R7-0017.html

CVE: CAN-2004-0183, CAN-2004-0184

1. Affected system(s):

KNOWN VULNERABLE:
o TCPDUMP v3.8.1 and earlier versions

2. Summary

TCPDUMP v3.8.1 and earlier versions contain multiple flaws in the
packet display functions for the ISAKMP protocol. Upon receiving
specially crafted ISAKMP packets, TCPDUMP will try to read beyond
the end of the packet capture buffer and crash.

3. Vendor status and information

TCPDUMP
http://www.tcpdump.org

The vendor was notified and they have released an updated version
of TCPDUMP, version 3.8.2, which fixes these defects. Subsequently,
the version number was bumped to 3.8.3 to match libpcap.

4. Solution

Upgrade to version 3.8.3 of TCPDUMP. You should also consider
upgrading to version 0.8.3 of libpcap. Note that many vendors
package their own customized version of TCPDUMP and libpcap with
their operating system distribution. You may want to consider
contacting your operating system vendor for an upgrade.

5. Detailed analysis

To test the security and robustness of IPSEC implementations
from multiple vendors, the security research team at Rapid7
has designed the Striker ISAKMP Protocol Test Suite. Striker
is an ISAKMP packet generation tool that automatically produces
and sends invalid and/or atypical ISAKMP packets.

This advisory is the second in a series of vulnerability
disclosures discovered with the Striker test suite. Striker
will be made available to qualified IPSEC vendors. Please
email advisory@rapid7.com for more information on obtaining
Striker.

There are two defects in the ISAKMP packet display functions in
TCPDUMP. Both of them require that verbose packet display be
enabled with the -v option. These defects result in out-of-bounds
reads.

Overflow in ISAKMP Delete payload with large number of SPI's
CVE ID: CAN-2004-0183

When displaying Delete payloads, TCPDUMP does not verify
that (NSPIS * SPISIZE) fits within the snap buffer.

An ISAKMP packet with a malformed Delete payload having
a large self-reported number of SPI's will cause TCPDUMP
to crash as it tries to read from beyond the end of the
snap buffer.

See section 3.15 of RFC 2408 for information on the
Delete payload format.

Integer underflow in ISAKMP Identification payload
CVE ID: CAN-2004-0184

An ISAKMP packet with a malformed Identification payload
with a self-reported payload length that becomes less than
8 when its byte order is reversed will cause TCPDUMP to
crash as it tries to read from beyond the end of the
snap buffer. TCPDUMP must be using a snaplen of 325 or
greater for this underflow to be triggered.

This is due to an inconsistency in the byte order conversion
in the isakmp_id_print() function:

if (sizeof(*p) < id.h.len)
data = (u_char *)(p + 1);
else
data = NULL;
len = ntohs(id.h.len) - sizeof(*p);

If id.h.len is equal to, say, 256 (and this fits within the snap
buffer), then len will be equal to:

ntohs(256) - sizeof(*p)

which becomes a negative value on i386.

6. Contact Information

Rapid7 Security Advisories
Email: advisory@rapid7.com
Web: http://www.rapid7.com/
Phone: +1 (617) 603-0700

7. Disclaimer and Copyright

Rapid7, LLC is not responsible for the misuse of the information
provided in our security advisories. These advisories are a service
to the professional security community. There are NO WARRANTIES
with regard to this information. Any application or distribution of
this information constitutes acceptance AS IS, at the user's own
risk. This information is subject to change without notice.

This advisory Copyright (C) 2004 Rapid7, LLC. Permission is
hereby granted to redistribute this advisory, providing that no
changes are made and that the copyright notices and disclaimers
remain intact.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (OpenBSD)

iD8DBQFAaa48MiAxz4wsmx8RAr4lAJ0Y69TpTaDZkRxARdTdq1iwgRv+RQCeMEw9
Oh6mpCe95vffPgf+7Ku2o+c=
=YXNu
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close