Ethereal is "a popular open source network sniffer. It has the ability to inspect and dissect more then 600 protocols. Ethereal is used by network professionals around the world for troubleshooting, analysis, software and protocol development, and education. It runs on all popular computing platforms, including Unix, Linux, and Windows".
SecurityLab Technologies has discovered a exploitable overflow in Ethereal's SIP dissector resulting from the strcpy() of a overly long string into a fixed buffer.
To exploit this vulnerability an attacker does not need to know the location of the sniffing Ethereal. As long as the hostile packet is directed at the network being observed by the victim. Successful exploitation of this vulnerability will lead to execution of arbitrary commands on a system running the sniffer with the privileges of the user running Ethereal.
The overflow occurs while parsing the value of cseq_method, the guilty code can be found in Packet-sip.c
/* Extract method name from value */
for (value_offset = 0; value_offset < (gint)strlen(value);
value_offset++)
{
if (isalpha((guchar)value[value_offset]))
{
strcpy(cseq_method,value+value_offset);
break;
}
value is controlled by the attacker and cseq_method is a fixed buffer: char cseq_method[16] = "";
Vendor Status:
The Ethereal development team has released a patched version of Ethereal (0.10.11) which can be downloaded from: http://ethereal.com/download.html
