[Full-Disclosure] R7-0017: TCPDUMP ISAKMP payload handling denial-of-service vulnerabilities

advisory_at_rapid7.com
Date: 03/30/04

  • Next message: Drew Copley: "RE: [Full-Disclosure] RE: new internet explorer exploit (was new worm)" 
    To: full-disclosure@lists.netsys.com
Date: Tue, 30 Mar 2004 10:13:49 -0800

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    _______________________________________________________________________
                         Rapid7, Inc. Security Advisory
           Visit http://www.rapid7.com/ to download NeXpose,
            the world's most advanced vulnerability scanner.
          Linux and Windows 2000/XP versions are available now!
    _______________________________________________________________________

    Rapid7 Advisory R7-0017
    TCPDUMP ISAKMP payload handling denial-of-service vulnerabilities

       Published: March 30, 2004
       Revision: 1.0
       http://www.rapid7.com/advisories/R7-0017.html

       CVE: CAN-2004-0183, CAN-2004-0184

    1. Affected system(s):

       KNOWN VULNERABLE:
        o TCPDUMP v3.8.1 and earlier versions

    2. Summary

       TCPDUMP v3.8.1 and earlier versions contain multiple flaws in the
       packet display functions for the ISAKMP protocol. Upon receiving
       specially crafted ISAKMP packets, TCPDUMP will try to read beyond
       the end of the packet capture buffer and crash.

    3. Vendor status and information

       TCPDUMP
       http://www.tcpdump.org

       The vendor was notified and they have released an updated version
       of TCPDUMP, version 3.8.2, which fixes these defects. Subsequently,
       the version number was bumped to 3.8.3 to match libpcap.

    4. Solution

       Upgrade to version 3.8.3 of TCPDUMP. You should also consider
       upgrading to version 0.8.3 of libpcap. Note that many vendors
       package their own customized version of TCPDUMP and libpcap with
       their operating system distribution. You may want to consider
       contacting your operating system vendor for an upgrade.

    5. Detailed analysis

       To test the security and robustness of IPSEC implementations
       from multiple vendors, the security research team at Rapid7
       has designed the Striker ISAKMP Protocol Test Suite. Striker
       is an ISAKMP packet generation tool that automatically produces
       and sends invalid and/or atypical ISAKMP packets.

       This advisory is the second in a series of vulnerability
       disclosures discovered with the Striker test suite. Striker
       will be made available to qualified IPSEC vendors. Please
       email advisory@rapid7.com for more information on obtaining
       Striker.

       There are two defects in the ISAKMP packet display functions in
       TCPDUMP. Both of them require that verbose packet display be
       enabled with the -v option. These defects result in out-of-bounds
       reads.

       Overflow in ISAKMP Delete payload with large number of SPI's
       CVE ID: CAN-2004-0183

          When displaying Delete payloads, TCPDUMP does not verify
          that (NSPIS * SPISIZE) fits within the snap buffer.

          An ISAKMP packet with a malformed Delete payload having
          a large self-reported number of SPI's will cause TCPDUMP
          to crash as it tries to read from beyond the end of the
          snap buffer.

          See section 3.15 of RFC 2408 for information on the
          Delete payload format.

       Integer underflow in ISAKMP Identification payload
       CVE ID: CAN-2004-0184

          An ISAKMP packet with a malformed Identification payload
          with a self-reported payload length that becomes less than
          8 when its byte order is reversed will cause TCPDUMP to
          crash as it tries to read from beyond the end of the
          snap buffer. TCPDUMP must be using a snaplen of 325 or
          greater for this underflow to be triggered.

          This is due to an inconsistency in the byte order conversion
          in the isakmp_id_print() function:

             if (sizeof(*p) < id.h.len)
                data = (u_char *)(p + 1);
             else
                data = NULL;
             len = ntohs(id.h.len) - sizeof(*p);

          If id.h.len is equal to, say, 256 (and this fits within the snap
          buffer), then len will be equal to:

             ntohs(256) - sizeof(*p)

          which becomes a negative value on i386.

    6. Contact Information

       Rapid7 Security Advisories
       Email: advisory@rapid7.com
       Web: http://www.rapid7.com/
       Phone: +1 (617) 603-0700

    7. Disclaimer and Copyright

       Rapid7, LLC is not responsible for the misuse of the information
       provided in our security advisories. These advisories are a service
       to the professional security community. There are NO WARRANTIES
       with regard to this information. Any application or distribution of
       this information constitutes acceptance AS IS, at the user's own
       risk. This information is subject to change without notice.

       This advisory Copyright (C) 2004 Rapid7, LLC. Permission is
       hereby granted to redistribute this advisory, providing that no
       changes are made and that the copyright notices and disclaimers
       remain intact.
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.2 (OpenBSD)

    iD8DBQFAaa48MiAxz4wsmx8RAr4lAJ0Y69TpTaDZkRxARdTdq1iwgRv+RQCeMEw9
    Oh6mpCe95vffPgf+7Ku2o+c=
    =YXNu
    -----END PGP SIGNATURE-----

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: Drew Copley: "RE: [Full-Disclosure] RE: new internet explorer exploit (was new worm)"

    Relevant Pages