exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

iDEFENSE Security Advisory 2003-02-27.t

iDEFENSE Security Advisory 2003-02-27.t
Posted Mar 3, 2003
Authored by Andrew Griffiths, iDefense Labs | Site idefense.com

iDEFENSE Security Advisory 02.27.03 - Tcpdump v3.6 to 3.7.1 contains a remote denial of service vulnerability in the parsing of ISAKMP packets which allows malformed packets on TCP or UDP port 500 to cause tcpdump to stop processing packets.

tags | advisory, remote, denial of service, udp, tcp
SHA-256 | fae68286e1e545a64b2a959ac88855cd43176a8217de4f7a21f0738a732ae945

iDEFENSE Security Advisory 2003-02-27.t

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

iDEFENSE Security Advisory 02.27.03:
https://www.idefense.com/advisory/02.27.03.txt
TCPDUMP Denial of Service Vulnerability in ISAKMP Packet Parsing
February 27, 2003

I. BACKGROUND

TCPDUMP is a widely used network debugging tool that prints out the
headers of packets on a network interface that match a boolean expression.
More information about the application is available at
https://www.tcpdump.org .

II. DESCRIPTION

A vulnerability exists in the parsing of ISAKMP packets (UDP port 500)
that allows an attacker to force TCPDUMP into an infinite loop upon
receipt of a specially crafted packet.

The following output is from TCPDUMP replaying a previously captured
malformed ISAKMP packet:

# tcpdump -vvvr tcpdump_isakmp_inf_loop | head 05:14:57.954719
192.168.2.243.isakmp > 192.168.2.243.isakmp: isakmp 8.9 msgid 7d380dee
cookie 773b4e8a1618caa8->51efacc0a65e0334: phase 2/others ? #69[C]:
(#83)
(#237)
(#237)
(#237)
(#237)
(#237)
(#237)
(#237)
(#237)
...

The string "(#237)" will continue to print indefinitely; at this point
TCPDUMP is no longer processing other packets. The vulnerable segment of
code has been narrowed down to the following loop from
print_isakmp.c:isakmp_sub_print(), the while() loop is never broken as the
variable 'np' never equates to zero:

while (np) {
safememcpy(&e, ext, sizeof(e));

if (ep < (u_char *)ext + ntohs(e.len)) {
printf(" [|%s]", NPSTR(np));
cp = ep + 1;
break;
}
depth++;
printf("\n");
for (i = 0; i < depth; i++)
printf(" ");
printf("(");
cp = isakmp_sub0_print(np, ext, ep, phase, doi, proto);
printf(")");
depth--;

np = e.np;
ext = (struct isakmp_gen *)cp;
}

III. ANALYSIS

Any remote user can generate a specially crafted packet that will cause
TCPDUMP to enter an infinite loop thereby rendering the application
useless and preventing the administrator from viewing network traffic.
Attackers can anonymously trigger this vulnerability by spoofing the
source address of the malicious packet, this is possible because it
traverses over the User Datagram Protocol (UDP), a stateless protocol.
While the vulnerability exists specifically in the TCPDUMP code base there
are some applications that utilize code from TCPDUMP or "wrap" around
TCPDUMP, and such applications would also be affected.

IV. DETECTION

iDEFENSE has confirmed the existence of this vulnerability in TCPDUMP
versions 3.6, 3.6.3, 3.7.1 built against LIBPCAP versions .6 and .7 on
both the Linux and FreeBSD platform. Many other Linux distributions
contain vulnerable TCPDUMP versions

V. RECOVERY

An affected application is rendered useless upon entry into the infinite
loop. The application must be restarted to regain normal functionality.

VI. WORKAROUND

An ad hoc work around that can be implemented until an official vendor
patch has been made available is to simply filter out parsing of packets
destined to TCP or UDP port 500. This will prevent a malformed packet from
affected a vulnerable version of TCPDUMP. The addition of the following
boolean string can be used to accomplish this task:

[and] dst port not 500

Where the [and] is optional depending on whether or not additional boolean
expressions are provided.

VII. VENDOR FIX/RESPONSE

This vulnerability was already closed by Guy Harris during routine
development; users of the CVS version downloaded since September 6, 2002
(revision 1.34 of print-isakmp.c) are not vulerable. The new 3.7.2
tcpdump release includes this and a couple of additional security
fixes; the 0.7.2 libpcap release includes new functionality but no
security fixes.

The following packages are available:

https://www.tcpdump.org/release/tcpdump-3.7.2.tar.gz
https://www.tcpdump.org/release/libpcap-0.7.2.tar.gz


Debian 2.2 (potato) contains tcpdump 3.4a6, which does not appear to be
vulnerable (version 3.4a6 does not include an isakmp dissector). Debian
3.0 (woody) contains tcpdump 3.6.2, which is vulnerable. Updated packages
are available from https://www.debian.org/security/ .


VIII. CVE INFORMATION

The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project has
assigned the identification number CAN-2003-0108 to this issue.

XI. DISCLOSURE TIMELINE

12/09/2002 Issue disclosed to iDEFENSE
02/25/2003 TCPDUMP maintainers notified: guy_harris@users.sourceforge.net,
itojun@users.sourceforge.net, mcr@users.sourceforge.net and
fenner@users.sourceforge.net
02/25/2003 Responses from Guy Harris, Bill Fenner, Michael Richardson
02/25/2003 iDEFENSE clients notified
02/26/2003 OS vendors notified via vendor-sec@lst.de
02/27/2003 Public Disclosure

X. CREDIT

Andrew Griffiths (andrewg@d2.net.au) is credited with discovering this
vulnerability.


-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBPl5igPrkky7kqW5PEQINbQCcCYEMlrwh2VAM6iDxmR0r5kQ/uJIAoLvT
ybcqGzmuAlkYqNYjofaL6RrY
=i/Yd
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close