In case you missed it last week, Idefense released an advisory regarding Ethereal, the very popular open source protocol analyzer. Several buffer overflow and DOS vulnerabilites are corrected with the latest release version - 0.10.13.
"It may be possible to make Ethereal crash, use up available memory, or run arbitrary code by injecting a purposefully malformed packet onto the wire or by convincing someone to read a malformed packet trace file."
The IDefense advisory is at: www.idefense.com/application/poi/display?id=323&type=vulnerabilities
There is exploit code for at least one of the BOF vulns. Now, who uses Ethereal, anyway? Net admins, incident handlers, auditors, analysts....nothing important to worry about on their systems, eh?
A great way to avoid getting bitten badly by these protocol parser attacks is to not run them as a super user, if you don't have to. Do your packet capturing with something dumb (like tethereal or tcpdump with the -w switch), then analyze as a non-priv user. This way an attacker is limited in the damage that can be done, should they slide the evil bits into your sniffer.
I will be teaching next: Intrusion Detection In-Depth - SANS Las Vegas Spring 2020
Oct 29th 2005
1 decade ago