"Ethereal is used by network professionals around the world for troubleshooting, analysis, software and protocol development, and education."
"Open Shortest Path First (OSPF) TCP/IP internet routing protocol is classified as an Interior Gateway Protocol (IGP). This means that it distributes routing information between routers belonging to a single Autonomous System."
Lack of proper length validation of Ethereal OSPF Protocol Dissector allow attackers to execute arbitrary code using a buffer overflow.
Vulnerable Systems:
* Ethereal version 0.10.0 and above
* Ethereal version 0.10.12 and prior
Immune Systems:
* Ethereal version 0.10.13
The affected Ethereal component is used to analyse Open Shortest Path First (OSPF) Interior Gateway Protocol (IGP), as specified in RFC-2178.
The vulnerability specifically exists due to no bounds checking being performed in the dissect_ospf_v3_address_prefix() function. This function takes user-supplied binary data and attempts to convert it into a human readable string. This function uses a fixed length buffer on the stack to store the constructed string but performs no checks on the length of the input. If the generated output length from the input exceeds the size of the buffer, a stack-based overflow occurs.
Successful exploitation allow remote attackers to perform a DoS against a running instance of Ethereal and may, under certain conditions, potentially allow the execution of arbitrary code. As the overflow string is generated from a format string converting binary values into their hexadecimal (base 16) equivalent characters, it can contain only a limited subset of all possible characters, and the length of an overflow is only able to be controlled to within the three characters.
This may prevent exploit ability on some platforms; however, it may be possible that these constraints will not prevent exploitation on others.
