Ethereal-dev: [Ethereal-dev] ethereal radius dissector vulnerability

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Jonathan Heusser <jonny@xxxxxxxxxxxx>
Date: Thu, 18 Mar 2004 14:26:19 +0100
Hello,

during an audit I found a vulnerability in the radius dissector of ethereal version 0.10.2
(and probably prior to aswell).
This bug allows a remote attacker to cause at least a denial of service attack. The execution of
arbitrary code could be possible..


The problem is located in the function dissect_attribute_value_pairs of packet-radius.c:

If you manage to create a packet which causes the find_radius_attr_info call on line 2600 to return NULL, and at the same time having avph.avp_length set to 2, then ethereal will fail while calling proto_tree_add_text on line 2608. More precisely while accessing attr_info->str.

...
(2600)    attr_info = find_radius_attr_info(avph.avp_type, radius_attrib);
             if (avph.avp_length < 2) {
                  if (tree) {
(2608)            proto_tree_add_text(tree, tvb, offset, avph.avp_length,
                        "t:%s(%u) l:%u (length not >= 2)",
                        attr_info->str, avph.avp_type, avph.avp_length);
                  }
...

A possible fix for this would be to bail out when find_radius_attr_info returns NULL, though this might
not be the best solution.

Thank you,
Jonathan Heusser

--
Key fingerprint = 2A55 EB7C B7EA 6336 7767  4A47 910A 307B 1333 BD6C