From advisory@rapid7.com Sat Apr 3 01:12:43 2004 From: advisory@rapid7.com To: bugtraq@securityfocus.com Date: Tue, 30 Mar 2004 10:14:18 -0800 Subject: R7-0017: TCPDUMP ISAKMP payload handling denial-of-service vulnerabilities -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Rapid7, Inc. Security Advisory Visit http://www.rapid7.com/ to download NeXpose, the world's most advanced vulnerability scanner. Linux and Windows 2000/XP versions are available now! _______________________________________________________________________ Rapid7 Advisory R7-0017 TCPDUMP ISAKMP payload handling denial-of-service vulnerabilities Published: March 30, 2004 Revision: 1.0 http://www.rapid7.com/advisories/R7-0017.html CVE: CAN-2004-0183, CAN-2004-0184 1. Affected system(s): KNOWN VULNERABLE: o TCPDUMP v3.8.1 and earlier versions 2. Summary TCPDUMP v3.8.1 and earlier versions contain multiple flaws in the packet display functions for the ISAKMP protocol. Upon receiving specially crafted ISAKMP packets, TCPDUMP will try to read beyond the end of the packet capture buffer and crash. 3. Vendor status and information TCPDUMP http://www.tcpdump.org The vendor was notified and they have released an updated version of TCPDUMP, version 3.8.2, which fixes these defects. Subsequently, the version number was bumped to 3.8.3 to match libpcap. 4. Solution Upgrade to version 3.8.3 of TCPDUMP. You should also consider upgrading to version 0.8.3 of libpcap. Note that many vendors package their own customized version of TCPDUMP and libpcap with their operating system distribution. You may want to consider contacting your operating system vendor for an upgrade. 5. Detailed analysis To test the security and robustness of IPSEC implementations from multiple vendors, the security research team at Rapid7 has designed the Striker ISAKMP Protocol Test Suite. Striker is an ISAKMP packet generation tool that automatically produces and sends invalid and/or atypical ISAKMP packets. This advisory is the second in a series of vulnerability disclosures discovered with the Striker test suite. Striker will be made available to qualified IPSEC vendors. Please email advisory@rapid7.com for more information on obtaining Striker. There are two defects in the ISAKMP packet display functions in TCPDUMP. Both of them require that verbose packet display be enabled with the -v option. These defects result in out-of-bounds reads. Overflow in ISAKMP Delete payload with large number of SPI's CVE ID: CAN-2004-0183 When displaying Delete payloads, TCPDUMP does not verify that (NSPIS * SPISIZE) fits within the snap buffer. An ISAKMP packet with a malformed Delete payload having a large self-reported number of SPI's will cause TCPDUMP to crash as it tries to read from beyond the end of the snap buffer. See section 3.15 of RFC 2408 for information on the Delete payload format. Integer underflow in ISAKMP Identification payload CVE ID: CAN-2004-0184 An ISAKMP packet with a malformed Identification payload with a self-reported payload length that becomes less than 8 when its byte order is reversed will cause TCPDUMP to crash as it tries to read from beyond the end of the snap buffer. TCPDUMP must be using a snaplen of 325 or greater for this underflow to be triggered. This is due to an inconsistency in the byte order conversion in the isakmp_id_print() function: if (sizeof(*p) < id.h.len) data = (u_char *)(p + 1); else data = NULL; len = ntohs(id.h.len) - sizeof(*p); If id.h.len is equal to, say, 256 (and this fits within the snap buffer), then len will be equal to: ntohs(256) - sizeof(*p) which becomes a negative value on i386. 6. Contact Information Rapid7 Security Advisories Email: advisory@rapid7.com Web: http://www.rapid7.com/ Phone: +1 (617) 603-0700 7. Disclaimer and Copyright Rapid7, LLC is not responsible for the misuse of the information provided in our security advisories. These advisories are a service to the professional security community. There are NO WARRANTIES with regard to this information. Any application or distribution of this information constitutes acceptance AS IS, at the user's own risk. This information is subject to change without notice. This advisory Copyright (C) 2004 Rapid7, LLC. Permission is hereby granted to redistribute this advisory, providing that no changes are made and that the copyright notices and disclaimers remain intact. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (OpenBSD) iD8DBQFAaa48MiAxz4wsmx8RAr4lAJ0Y69TpTaDZkRxARdTdq1iwgRv+RQCeMEw9 Oh6mpCe95vffPgf+7Ku2o+c= =YXNu -----END PGP SIGNATURE-----