Ethereal-dev: [Ethereal-dev] Cert Advisory 2002-03 / SNMP

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: "Faber, Sidney" <sfaber@xxxxxxxxxxxxxxxx>
Date: Mon, 25 Feb 2002 16:18:01 -0500
Folks,

Perhaps you've heard of the recent SNMP issues surrounding CERT advisory
2002-03 (http://www.cert.org/advisories/CA-2002-03.html).  I was working
with the tool to test HP printers, and found a malformed SNMP packet that
killed HP JetDirect cards.  I wanted to take a look at the packet, so I
pulled up my trusty copy of Ethereal (thank you!), and found that it also
choked on the packet.  Whenever it is decoded for display, I get a dialog
box "GLib-ERROR **: could not allocate -1 bytes aborting...".  

The packet can be generated using the Protos req-enc test with the options
"-zerocase -showreply -single 13771".  The protos test name is
"set-req-ber-l-length" in the category of "Invalid BER length (L) fields".
Apparently the packet has a malformed BER length.

The TCPDump trace is:
15:43:38.979321 1.2.3.4.1890 > 1.2.3.5.161:  
      SetRequest(39) .1.3.6.1.2.1.1.5.0="c06-snmpv"
15:43:39.179098 1.2.3.4.1891 > 1.2.3.5.161:
      GetRequest(25) .1.3.6.1.2.1.1.5.0
I can forward you the capture file individually if it might help, or direct
you on where to get a copy of Protos.

The bug in Ethereal itself doesn't worry me, since it was a bogus packet to
begin with.  But I'm in information security (ie, paranoid), and I'm hoping
the bug itself is limited to Ethereal, and not to one of the support
libraries, and also wouldn't lead to an exploitable buffer overflow.  I've
attached one response to my initial posting that raised my concern.

According to Help | About, I'm running the WinNT precompiled version
0.9.0(C) compiled with GTK+ 1.3.0, GLib 1.3.2, libpcap, libz 1.1.3, UCD SNMP
4.2.2

Thanks for your help, please copy me personally on replies or if you need
any additional information, as I don't normally monitor this list.  And keep
up the great work, I use your tool almost every day.

____________________
Sid Faber
Information Security
sfaber@xxxxxxxxxxxxxxxx



-----Original Message-----
From: david evlis reign [mailto:davidreign@xxxxxxxxxxx]
Sent: Friday, February 22, 2002 5:14 AM
To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: Cert Advisory 2002-03 and HP JetDirect 


As an interesting side note, Ethereal (a popular open source sniffer /
traffic analyzer) crashes every time it sees this packet also. It gives the
error "GLib-ERROR **: could not allocate -1 bytes aborting...".

this caught my attention for two reasons.
my probably wrong explantion for this is the following:
1) mangled packet sent, containing some large values (no idea what)
2) ettercap recieves and processes this saying that int whatever = <large 
value from packet>
3) int returns unsigned, classic integer overflow style.
4) passed to malloc as an unsigned value, malloc shits itself.
5) ettercap spits out cant allocate <whatever> bytes.

possibly exploitable (heap + int == hard ;))

someone prove me wrong _please_
davidr







_________________________________________________________________
Chat with friends online, try MSN Messenger: http://messenger.msn.com