|
|
|
|
| |
Credit:
The information has been provided by iDefense.
The original article can be found at: http://www.idefense.com/application/poi/display?id=349&type=vulnerabilities&flashstatus=true
|
| |
Vulnerable Systems:
* Ethereal version 0.10.0 and above
* Ethereal version 0.10.12 and prior
Immune Systems:
* Ethereal version 0.10.13
The affected Ethereal component is used to analyse Open Shortest Path First (OSPF) Interior Gateway Protocol (IGP), as specified in RFC-2178.
The vulnerability specifically exists due to no bounds checking being performed in the dissect_ospf_v3_address_prefix() function. This function takes user-supplied binary data and attempts to convert it into a human readable string. This function uses a fixed length buffer on the stack to store the constructed string but performs no checks on the length of the input. If the generated output length from the input exceeds the size of the buffer, a stack-based overflow occurs.
Successful exploitation allow remote attackers to perform a DoS against a running instance of Ethereal and may, under certain conditions, potentially allow the execution of arbitrary code. As the overflow string is generated from a format string converting binary values into their hexadecimal (base 16) equivalent characters, it can contain only a limited subset of all possible characters, and the length of an overflow is only able to be controlled to within the three characters.
This may prevent exploit ability on some platforms; however, it may be possible that these constraints will not prevent exploitation on others.
Vendor Status:
The vendor has issued a fix for the problem: http://anonsvn.ethereal.com/viewcvs/viewcvs.py/trunk/epan/dissectors/packet-ospf.c?rev=16507&view=markup
CVE Information:
CVE-2005-3651
Disclosure Timeline:
11/14/2005 Initial vendor notification
11/14/2005 Initial vendor response
12/09/2005 Public disclosure
|
|
|
|
|
