Wireshark · Ethereal-dev: [Ethereal-dev] [Coverity] Possible Format String Vulnerabilites

Ethereal-dev: [Ethereal-dev] [Coverity] Possible Format String Vulnerabilites

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Bryan Fulton <bryan@xxxxxxxxxxxx>

Date: Mon, 14 Mar 2005 18:38:31 -0800

Hi,

While testing our security checkers here at Coverity, we discovered a
handful of possible flaws in Ethereal-10.10. Most are improper usage of
scalars pulled off a packet (similar to the recent advisories) and we'll
send you more detailed information on those soon. Right now, I thought
you would be interested in a couple of possible format string
vulnerabilities.  

Let me know if these look valid, and if so, when a possible patch would
be made available. We appreciate your feedback as a method to improve
and expand our security checkers.

Thanks,
.:Bryan Fulton of Coverity, Inc.



Bug 1:          
/ethereal-0.10.10/epan/dissectors/packet-mq.c:dissect_mq_pdu
- sStructId pulled off of tvb via tvb_get_string() and passed to 
proto_tree_add_text() as format argument.

1608 	guint8* sStructId;

Function "tvb_get_string" returns TAINTED string content
Variable "sStructId" TAINTED from assignment to tainted return value of 
"tvb_get_string"

1609    sStructId = tvb_get_string(tvb, offset, 4);

TAINTED string "sStructId" was passed to a format string sink.

1610    ti = proto_tree_add_text(mqroot_tree, tvb, offset, -1, 
                                 (const char*)sStructId);



Bug 2:
/ethereal-0.10.10/epan/dissectors/packet-ansi_a.c:elem_cld_party_ascii_num
- poctets pulled of of tcv via tvb_get_string() and passed to 
proto_tree_add_string_function() as format argument.
- This one is fairly subtle to notice as first glance. It looks like the
value argument is missing, as the string "Digits: %s" is used as value
in the call to proto_tree_add_string_format(). The user-controlled
poctets is then unsafely passed as the FS argument.

Function "tvb_get_string" returns TAINTED string content
Variable "poctets" TAINTED from assignment to tainted return value of 
"tvb_get_string"

5307 	    poctets = tvb_get_string(tvb, curr_offset, len - (curr_offset
- offset));

TAINTED string "poctets" was passed to a format string sink. 
5309 	 proto_tree_add_string_format(tree,                             
hf_ansi_a_cld_party_ascii_num,
5310 		tvb, curr_offset, len - (curr_offset - offset),
5311 		"Digits: %s",
5312 		poctets);



-- 
Bryan J Fulton
Coverity, Inc.
185 Berry St, Suite 3600
San Francisco, CA 94107
www.coverity.com

Phone: 415-321-5206
Fax:   415-541-9521
Email: bryan@xxxxxxxxxxxx

Follow-Ups:
- [Ethereal-dev] Re: [Coverity] Possible Format String Vulnerabilites
  - From: Bryan Fulton
- Re: [Ethereal-dev] [Coverity] Possible Format String Vulnerabilites
  - From: Gerald Combs
- Re: [Ethereal-dev] [Coverity] Possible Format String Vulnerabilites
  - From: Guy Harris

Prev by Date: Re: [Ethereal-dev] Dissector_add for an OUI value or even a MAC DA
Next by Date: [Ethereal-dev] Re: [Coverity] Possible Format String Vulnerabilites
Previous by thread: Re: [Ethereal-dev] Dissector_add for an OUI value or even a MAC DA
Next by thread: [Ethereal-dev] Re: [Coverity] Possible Format String Vulnerabilites
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$