[UNIX] TCPDUMP ISAKMP Payload Handling DoS Vulnerabilities

From: SecuriTeam (support_at_securiteam.com)
Date: 03/31/04

  • Next message: SecuriTeam: "[NEWS] Security Issue Found with Customized Login Pages for Oracle SSO" 
    To: list@securiteam.com
Date: 31 Mar 2004 10:12:33 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      TCPDUMP ISAKMP Payload Handling DoS Vulnerabilities
    ------------------------------------------------------------------------

    SUMMARY

    TCPDUMP v3.8.1 and earlier versions contain multiple flaws in the packet
    display functions for the ISAKMP protocol. Upon receiving specially
    crafted ISAKMP packets, TCPDUMP will try to read beyond the end of the
    packet capture buffer and crash.

    DETAILS

    Vulnerable Systems:
     * TCPDUMP version 3.8.1 and earlier

    Immune Systems:
     * TCPDUMP version 3.8.2 or newer

    Vendor status and information:
    The vendor was notified and they have released an updated version of
    TCPDUMP, version 3.8.2, which fixes these defects. Subsequently, the
    version number was bumped to 3.8.3 to match libpcap.

    Solution:
    Upgrade to version 3.8.3 of TCPDUMP. You should also consider upgrading to
    version 0.8.3 of libpcap. Note that many vendors package their own
    customized version of TCPDUMP and libpcap with their operating system
    distribution. You may want to consider contacting your operating system
    vendor for an upgrade.

    Detailed analysis:
    To test the security and robustness of IPSEC implementations from multiple
    vendors, the security research team at Rapid7 has designed the Striker
    ISAKMP Protocol Test Suite. Striker is an ISAKMP packet generation tool
    that automatically produces and sends invalid and/or atypical ISAKMP
    packets.

    There are two defects in the ISAKMP packet display functions in TCPDUMP.
    Both of them require that verbose packet display be enabled with the -v
    option. These defects result in out-of-bounds reads.

    Overflow in ISAKMP Delete payload with large number of SPI's
    CVE Information:
     <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0183>
    CAN-2004-0183

    When displaying Delete payloads, TCPDUMP does not verify that (NSPIS *
    SPISIZE) fits within the snap buffer.

    An ISAKMP packet with a malformed Delete payload having a large
    self-reported number of SPI's will cause TCPDUMP to crash as it tries to
    read from beyond the end of the snap buffer.

    See section 3.15 of RFC 2408 for information on the Delete payload format.

    Integer underflow in ISAKMP Identification payload
    CVE Information:
     <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0184>
    CAN-2004-0184

    An ISAKMP packet with a malformed Identification payload with a
    self-reported payload length that becomes less than 8 when its byte order
    is reversed will cause TCPDUMP to crash as it tries to read from beyond
    the end of the snap buffer. TCPDUMP must be using a snaplen of 325 or
    greater for this underflow to be triggered.

    This is due to an inconsistency in the byte order conversion in the
    isakmp_id_print() function:
             if (sizeof(*p) < id.h.len)
                data = (u_char *)(p + 1);
             else
                data = NULL;
             len = ntohs(id.h.len) - sizeof(*p);

    If id.h.len is equal to, say, 256 (and this fits within the snap buffer),
    then len will be equal to:
             ntohs(256) - sizeof(*p)

    Which becomes a negative value on i386.

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:advisory@rapid7.com> Rapid 7
    Advisories.

    The original article can be found at:
    <http://www.rapid7.com/advisories/R7-0017.html>
    http://www.rapid7.com/advisories/R7-0017.html

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NEWS] Security Issue Found with Customized Login Pages for Oracle SSO"

    Relevant Pages